Re: Someone has working setup of sound in rdesktop?
Toma Bodar wrote: > Hi all, > > I'm trying to bring sound up in connection with Windows XP trough > rdesktop(1),but still no success.Googling recommend solutions which I > tryied yet and no special info in man page. > Here is my script for connection : > > #!/bin/sh > /usr/local/bin/rdesktop -u myname -d domain -g 1440x900 -a 16 -0 -r > sound:remote remoteIP & I believe you want "sound:local" if you want the sound to come out on the machine you are running rdesktop at. /Alexander
Someone has working setup of sound in rdesktop?
Hi all, I'm trying to bring sound up in connection with Windows XP trough rdesktop(1),but still no success.Googling recommend solutions which I tryied yet and no special info in man page. Here is my script for connection : #!/bin/sh /usr/local/bin/rdesktop -u myname -d domain -g 1440x900 -a 16 -0 -r sound:remote remoteIP & Thanks for points
Re: OT: 10GbE Physical Network Taps
On Thu, 07 May 2009 06:10:30 +0200 Johan Fredin wrote: > On 09-05-07 05.00, J.C. Roberts wrote: > > If anyone here mistakenly thinks they can actually run *ANALYSIS* at > > these speeds with off the shelf components... > > > > BAWAHAHAHAHAHAHAHA! > > Well, depends on what you mean by "off the shelf". Procera Networks > is doing layer 7 analysis at 40Gbps FD with their PacketLogic PL10k. > The hardware used for this is sourced from companies that anyone can > by hardware from as far as I know. > > Of course it's not x86 stuff, but it's off the shelf. :) > > /Johan It always comes down to how high up on the wall is the shelf that you can afford. ;-) -- J.C. Roberts
Re: how to configure Grub 0.97 for booting my OpenBSD 4.5
You should try GAG, I use it to dual-boot a windows/openbsd box. it will allow for installation of several OSes... http://gag.sourceforge.net/ On Wed, May 6, 2009 at 19:37, Nick Holland wrote: > Feifei (7I7I) wrote: >> Hi, guys, >> >> I just install the OpenBSD 4.5, but my grub configuration can't boot it. >> Before that, I use OpenBSD 4.2, it is a new installation, not upgrade. > ... >> It works well with the OpenBSD 4.2, >> >> But , if I use it to boot 4.5, I only get a error : >> Starting up ... >> Loading ... >> ERR M > > man biosboot > will tell you what the error means. > http://www.openbsd.org/faq/faq14.html will show you how > the boot process works. B I'm going to assume you read that > before I expect you to understand this: > > short version: the PBR read something, but it wasn't /boot. > > I'm not a grub expert, but obviously the PBR you are running > isn't the one that OpenBSD put into place. B Some boot loaders > do silly things like store a copy of the real PBR somewhere > they think is cool, and when you reinstall the OS, the stored > PBR doesn't get replaced when the real one is. B So now you have > the old PBR reading ...something other than /boot > > If you replace your grub boot loader with a normal MBR and flag > the OpenBSD partition as active, I bet the system will boot just > fine. > > Alternatively, do whatever voodoo you need to do to tell grub > there is a new PBR for it to use. > > Nick.
Re: ypldap and ldaps
On Wed, 6 May 2009 18:51:45 +0300 Vasiliy Kiryanov wrote: > Hello community. > > I would want to use ypldap with our ldap server that work over ssl. > The problem is how to change ypldap.conf to work with ldaps. > > I will appreciate any ideas. > > thanks. > Hi, There is no ldaps support in ypldap so far, the only viable way of doing it is replicating with slurp and binding to a local ldap server without SSL, we will make ldaps support available at some point.
Re: XTerm resizing and 4.5
On Thu, May 7, 2009 at 12:31 AM, Hugo Villeneuve wrote: > Somehow, while upgrading from 4.4 to 4.5 on i386, I lost the ability > to resize an XTerm via the command "resize -s rows cols". > > It's not the end of the world and for now I just changed XTerm > default geometry to 132x48. > > I'm not sure where I should look to bring that behavior back. see the allowWindowOps resource in the xterm(1) manual page. It is now disabled by default on OpenBSD. -- Matthieu Herrb
Re: OT: 10GbE Physical Network Taps
On 09-05-07 05.00, J.C. Roberts wrote: If anyone here mistakenly thinks they can actually run *ANALYSIS* at these speeds with off the shelf components... BAWAHAHAHAHAHAHAHA! Well, depends on what you mean by "off the shelf". Procera Networks is doing layer 7 analysis at 40Gbps FD with their PacketLogic PL10k. The hardware used for this is sourced from companies that anyone can by hardware from as far as I know. Of course it's not x86 stuff, but it's off the shelf. :) /Johan
Calomel.org
There was mention of calomel.org recently. This is a great resource, however, it needs to be a bit more updated. For example the following page advises *not* to use the GENERIC.MP kernel, however, considering how much work has gone into the MP work and fact that MP will become default I think it should be updated. ;) https://calomel.org/network_performance.html --- James A. Peltier james_a_pelt...@yahoo.ca __ Make your browsing faster, safer, and easier with the new Internet Explorer. 8. Optimized for Yahoo! Get it Now for Free! at http://downloads.yahoo.com/ca/internetexplorer/
Re: OT: 10GbE Physical Network Taps
On Wed, 6 May 2009 10:17:06 -0600 (MDT) Diana Eichert wrote: > On Wed, 6 May 2009, openbsd misc wrote: > > > On Wed, May 6, 2009 at 3:42 PM, Diana Eichert > > wrote: > > > >> We use physical taps at work, when I get the chance I'll take a > >> look at the vendor. > >> > >> Also, you really think you can capture 10GE? Chuckle, good luck. > >> > >> diana > > > > > > NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. > > > > I can't see any black helicopters and my Tin Foil hat fits fine > > thanks for asking. > > Yeah, and I'm sure JC has equivalent resources of the acronym laden > institutions you mention. Do you have any idea how they capture > packets at line rate? I strongly doubt they are using off the shelf > hardware, Well, a good number of the 10-Gbit/s Eethernet cards on the market actually have dual 10GbE interfaces in one configuration or another. The most typical configuration that *I* have seen is the two bonded (20-Gbit/s) as a single logical interface with fail-over between the two physical connections. In short, to capture a single card, you basically need to be able to store 2-GByte/s *somewhere* Yes, I'm intentionally skipping the overhead calculations and keeping things overly generalized... --this is misc@ after all (; On the more modern Intel chipset systems (X58), your memory bandwidth is about 64-Gbyte/s from RAM to proc, so if you stuff the box with 128-GByte of ram, you can collect about hour's worth of capture in a sizable RAM disk. Of course, 128-GByte of 1333-MHz RAM will set you back about $15-20 thousand USD. If you need more permanent storage (i.e. saved to "disk"), you only have two options: 1.) A large stripe set of Intel X25-{M,E} devices. Both the X25-M and X25-E SATA II (3.0 Gbit/s) can do about 250-Mbyte/s read/write, so a RAID0 stripe set of 16 of them will get you to about 4-Gbyte/s. Unfortunately, as far as *I* know, no SATA/RAID controller manufacturer has a product that can support 16 SATA II drives, *AND* has a 16-Lane PCIe Gen-1.0 interface (4-GByte/s), or 8-Lane PCIe Gen-2.0 interface (also 4-GByte/s), or a 4-Lane PCIe Gen-3.0 interface (again 4-GByte/s), so you'd be forced to use multiple controller cards and suffer a performance hit. It would cost you about $12-16 Thousand USD to build such a beast mainly due to the cost of the drives, but it's doable. For your money, you'd get about 2500-GByte (16 * 160-GByte) of rather volatile storage due to the RAID0, or about 21 hours of capture. 2.) Due to the absolutely insane prices of the hardware, your other option for non-custom hardware doesn't really qualify as "off the shelf." The other option is to use a stripe set of Fusion-IO.com solid state "disks" which can read/write at either 800-MByte/s (for the 320-GByte and below) or 1.5-GByte/s (for the 640-GByte and above "double" disks) depending on the model you buy. The present capacity limit is 640-GByte for their high end, "double" disk but that will hit 1.2-TByte by the end of the year (supposedly). Doing a stripe set across a bunch of these is, ummm, and interesting endeavor due to the fact they require very custom, closed source drivers and a system with 8-GByte of RAM per device. Oh, and according to what I've been told, if you have a power fault, you're totally screwed due to the way the mystery driver works. Though you can buy these things off the shelf, it's a very high shelf. The 320-GByte capactity 800-MByte/s drives are about $14,000 each retail, and you'd need at least four of the striped together to surpass the 2-GByte/s rate of a single 10-GBit/s card (two interfaces 20-Gbit/s). Other than the three options above, I do not know of any other way to capture 10 and/or 20 GBit/s Ethernet at line speed with off the shelf components. Also, I'll be the first to say the above is a bit dodgy, but it would more or less work if one can afford it. And yep, you're very much correct; attempting capture at these speeds is good for a chuckle and even the three "cheap" off-the-shelf methods above are not really affordable for home use. (; If anyone here mistakenly thinks they can actually run *ANALYSIS* at these speeds with off the shelf components... BAWAHAHAHAHAHAHAHA! Diana, thanks for the link to the FPGA analysis stuff later in the thread. I'll try to read it tomorrow, but the thought of someone doing the *REQUIRED* over-clocking of a FPGA to get the needed throughput sounds dangerously dodgy at best. Off the top of my head, other than over-clocking a "half-baked" FPGA, I can't think of any other way they could have done it without a serious performance impact on the link. > but hey what would I know, I'm just a girl. > CORRECTION: "... just a girl with technical super powers, and a lab that makes everyone very, very jealous." -- J.C. Roberts
Re: how to configure Grub 0.97 for booting my OpenBSD 4.5
Feifei (7I7I) wrote: > Hi, guys, > > I just install the OpenBSD 4.5, but my grub configuration can't boot it. > Before that, I use OpenBSD 4.2, it is a new installation, not upgrade. ... > It works well with the OpenBSD 4.2, > > But , if I use it to boot 4.5, I only get a error : > Starting up ... > Loading ... > ERR M man biosboot will tell you what the error means. http://www.openbsd.org/faq/faq14.html will show you how the boot process works. I'm going to assume you read that before I expect you to understand this: short version: the PBR read something, but it wasn't /boot. I'm not a grub expert, but obviously the PBR you are running isn't the one that OpenBSD put into place. Some boot loaders do silly things like store a copy of the real PBR somewhere they think is cool, and when you reinstall the OS, the stored PBR doesn't get replaced when the real one is. So now you have the old PBR reading ...something other than /boot If you replace your grub boot loader with a normal MBR and flag the OpenBSD partition as active, I bet the system will boot just fine. Alternatively, do whatever voodoo you need to do to tell grub there is a new PBR for it to use. Nick.
Re: HD 'Analysis'
On 5/6/2009 11:24 AM, Martin Schrvder wrote: 2009/5/6, Steve Shockley: The self-tests take the drive offline while they run, right? Do you No. man smartctl Huh. That kind of contradicts the name "offline self test", but I guess they call that "captive".
Re: how to configure Grub 0.97 for booting my OpenBSD 4.5
yes, it works well with OpenBSD 4.2, but, it failed in OpenBSD 4.5, I only get a error : Starting up ... Loading ... ERR M 2009/5/6 Luca Corti > On 5/6/09 5:07 PM, Feifei (??) wrote: > > The Grub version is distributed with the Ubuntu 8.04 which is installed > in > > (hd0,6) > > > > How to resolve it? > > > Use the chainloader to call the OpenBSD bootloader. Something like: > > |title OpenBSD > root (hd0,a) > makeactive > chainloader +1 > > ciao > > Luca > |
Re: OpenLDAP w/o bdb okay?
Henning Brauer(lists-open...@bsws.de)@2009.01.06 14:42:09 +0100: > * Toni Mueller [2009-01-06 12:25]: > > > openldap is still a piece of shit, but the ldbm backend is probably the > > > sanest one. > > > > This pattern comes up often, but almost noone suggests an alternative > > LDAP server package. > > I am not aware of any. Lack of options doesn't make openldap better. How about OpenDS? Fedora Directory Server? Both are pukable on the keyboard? Apache DS? Yeah, I know OpenDS is Java and so is ApacheDS...
Re: HD 'Analysis'
>> On Monday 04 May 2009 17:56:43 L. V. Lammert wrote: >> > What is the best way to do a surface analysis on a disk? >> 2009/5/5 Tony Abernethy : > There is, in the e2fsprogs package, something called badblocks. > I have used it (on Linux) to "rescue" bad disks. > (Windows laptops -- kinda redundant?) > > If you care about your data, follow Steve's advice. > > The reality seems to be that this does exercise a disk's ability > to relocate bad sectors so that a bad disk suddenly goes good. > This is using a destructive surface test (badblocks -sw ...) > Realistically, seems like the most reliable test is that disk is slower > than it should be. > > Me, if I want to rely on a disk drive, I will run badblocks on it. > The long-winded destructive test > And I will time it, at least sporadically. > (New disks are not immune from having problems ;-) > The exercise maybe loses out to watching grass grow. I also would recommend badblocks(8), but I would recommend badblocks -svn instead of badblocks -sw. badblocks -svn also (s)hows its progress as it goes along, but does a (v)erbose (n)on-destructive read/write test (as opposed to either the default read-only test or the destructive read/write test). You can check an entire device with badblocks, or a partition, or a file. The great thing about using badblocks to check a partition is that it's filesystem-agnostic. It will dutifully check every bit of its target partition regardless of what's actually on it. And if you give badblocks -svn an entire storage device to test, it will not even care about the actual partition scheme used. Because this read/write test can trigger the disk's own built-in bad sector relocation, this means you can even have a disk that you can't read the partition table from, and running badblocks -svn over it may at least temporarily fix things. And I've used badblocks -svn e.g. to check old Macintosh floppies. Who cares that OpenBSD doesn't know much about the filesystem on those? badblocks does the job anyway. (Because of this agnosticism, it's actually questionable whether badblocks(8) ought to be part of a filesystem-specific package, but hey, that's what it comes in. Yea, one *could* also argue whether to include it elsewhere by default because it's so useful, but I'm not the one making those decisions and I guess the folks who do will do what makes the most sense to them, so I don't feel like starting to be a back seat driver... ;-) Oh, and of course it would probably be prudent to do a backup before read/write tests, even though badblocks is well-established and (with -n) supposed to be non-destructive. Supposed to... ;-) I've never been disappointed but YMMV. regards, --ropers
XTerm resizing and 4.5
Somehow, while upgrading from 4.4 to 4.5 on i386, I lost the ability to resize an XTerm via the command "resize -s rows cols". It's not the end of the world and for now I just changed XTerm default geometry to 132x48. I'm not sure where I should look to bring that behavior back. -- Hugo Villeneuve
EUSecWest 2009 (May27/28) London Agenda and PacSec 2009 (Nov 4/5) Tokyo CFP deadline: June 1 2009
EUSecWest 2009 Speakers Efficient UAK Recovery attacks against DECT - Ralf-Philipp Weinmann, University of Luxembourg A year in the life of an Adobe Flash security researcher - Peleus Uhley, Adobe Pwning your grandmother's iPhone - Charley Miller, Independent Security Evaluators Post exploitation techniques on OSX and Iphone and other TBA matters. - Vincent Iozzo,Zynamics STOP!! Objective-C Run-TIME. - nemo Exploiting Delphi/Pascal - Ilja Van Sprundel, IOActive PCI bus based operating system attack and protections - Christophe Devine & Guillaume Vissian, Thales Thoughts about Trusted Computing - Joanna Rutkowska, Invisible Things Lab Nice NIC you got there... does it come with an SSH daemon? - Arrigo Trulzi Evolving Microsoft Exploit Mitigations - Tim Burrell & Peter Beck, Microsoft Malware Case Study: the ZeuS evolution - Vicente Diaz, S21Sec Writing better XSS payloads - Alex Kouzemtchenko, SIFT Exploiting Firefox Extensions -Roberto Suggi Liverani & Nick Freeman, Security-Assessment.com Stored Value Gift Cards, Magstripes Revisited - Adrian Pastor, Gnucitizen, Corsaire Advanced SQL Injection to operating system control - Bernardo Damele Assumpcao Guimaraes, Portcullis Cloning Mifare Classic - Nicolas Courtois, University of London Rootkits on Windows Mobile/Embedded - Petr Matousek, Coseinc PacSec 2009 CALL FOR PAPERS World Security Pros To Converge on Japan TOKYO, Japan -- To address the increasing importance of information security in Japan, the best known figures in the international security industry will get together with leading Japanese researchers to share best practices and technology. The most significant new discoveries about computer network hack attacks will be presented at the seventh annual PacSec conference to be discussed. The PacSec meeting provides an opportunity for foreign specialists to be exposed to Japanese innovation and markets and collaborate on practical solutions to computer security issues. In an informal setting with a mixture of material bilingually translated in both English and Japanese the eminent technologists can socialize and attend training sessions. Announcing the opportunity to submit papers for the PacSec 2009 network security training conference. The conference will be held November 4/5th in Tokyo. The conference focuses on emerging information security tutorials - it is a bridge between the international and Japanese information security technology communities.. Please make your paper proposal submissions before June 1st, 2009. Slides for the papers must be submitted for translation by October 1, 2009 (Which, oh so rarely, happens we are going to start asking for them earlier :-P --dr). A some invited papers have been confirmed, but a limited number of speaking slots are still available. The conference is responsible for travel and accomodations for the speakers. If you have a proposal for a tutorial session then please email a synopsis of the material and your biography, papers and, speaking background to . Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted. The PacSec conference consists of tutorials on technical details about current issues, innovative techniques and best practices in the information security realm. The audiences are a multi-national mix of professionals involved on a daily basis with security work: security product vendors, programmers, security officers, and network administrators. We give preference to technical details and education for a technical audience. The conference itself is a single track series of presentations in a lecture theater environment. The presentations offer speakers the opportunity to showcase on-going research and collaborate with peers while educating and highlighting advancements in security products and techniques. The focus is on innovation, tutorials, and education instead of product pitches. Some commercial content is tolerated, but it needs to be backed up by a technical presenter - either giving a valuable tutorial and best practices instruction or detailing significant new technology in the products. Paper proposals should consist of the following information: 1) Presenter, and geographical location (country of origin/passport) and contact info (e-mail, postal address, phone, fax). 2) Employer and/or affiliations. 3) Brief biography, list of publications and papers. 4) Any significant presentation and educational experience/background. 5) Topic synopsis, Proposed paper title, and a one paragraph description. 6) Reason why this material is innovative or significant or an important tutorial. 7. Optionally, any samples of prepared material or outlines ready. 8. Will you have full te
Re: Installboot to usb drive?
L. V. Lammert wrote: At 08:28 PM 5/5/2009 -0400, you wrote: ... Usual error is to forget that "boot" specified on the installboot command line is not the one in the installboot directory or your current root partition, but rather the /boot that exists on the root partition of the target drive (i.e., the "boot" you WILL use, not the one that you already used). Confirmed. Here is what worked: First problem, I missed the '/mnt' for boot: /usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot wd0 I used both sd0 and wd0 to make sure it would work, .. both indicated 'cross-device install'? Am I correct that the boot *device* specified should be wd0, when the drive will be physically used as bootable? no, all installboot does is install a tiny little program (biosboot) in the PBR, and point it to the inode used by the file /boot. So, it needs to know about which file "boot" will end up being "/boot" It needs to know where to put it, it really doesn't care what driver will hook to the device after boot. As the name implies, biosboot uses the bios, not the kernel driver. Biosboot is finished with its job long before the kernel is even loaded (is five seconds "long"? :). See faq14 for more info on how this all works. You want something like: /usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot sd0 assuming sd0a is mounted on /mnt and is your new disk. (alternately: just boot install media, point it at sd0, and it will do the rest for you...) Nick.
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 06:26:30PM -0300, Giancarlo Razzolini wrote: > Jason Dixon escreveu: >> >> I appreciate your digging into the code. That was above and beyond, >> even if it doesn't really do me any good. >> > Well, it can't always be elegant. IT isn't elegant. As you saw in the > code yourself. You only forgot to mention that you already had a > workaround for your problem. If i knew it, would had saved a lot of > time, by not suggesting another one. I mentioned it in a reply to Vadim. Sorry for not making it more obvious and that it caused you any wasted time. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
Jason Dixon escreveu: On Wed, May 06, 2009 at 06:04:19PM -0300, Giancarlo Razzolini wrote: Jason Dixon escreveu: Well, my rude friend, i guess you'll have to accept my suggestion because you're simply stuck with it. I shouldn't but, i took a little time and dove in openvpn source code. This is the piece of code that does what exactly what you're saying: Or I can continue to reload pf in /etc/rc.local like we currently do. No harm no foul. It's just not elegant. Sorry if you find my demeanor rude. I don't have a lot of patience for tangents when I'm asking a straightforward question and getting horizontal advice instead. New workarounds aren't necessarily better than existing workarounds. I appreciate your digging into the code. That was above and beyond, even if it doesn't really do me any good. Thanks, Well, it can't always be elegant. IT isn't elegant. As you saw in the code yourself. You only forgot to mention that you already had a workaround for your problem. If i knew it, would had saved a lot of time, by not suggesting another one. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD 4.5 Ubuntu 9.04 Jaunty Jackalope 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:25:20PM +0200, Ross Cameron wrote: > On Wed, May 6, 2009 at 10:38 PM, Giancarlo Razzolini > wrote: > > > > Well, i wasn't OT with my reply. And i use openvpn from the beginning of > > the project, even made a plugin for it. So i know i little of it. My > > suggestion was to avoid what you might be already suspecting. You will have > > to mess with openvpn code and recompile it to do what you want. The solution > > i suggested is a viable one, even if already have queueing policies on that > > interface. It'll only require a little adaptation on your altq rules. I > > guess you won't get far with an attitude like that, being rude with people > > that are trying to help you. That said, you might want to take a look at > > openvpn source code, mainly tun.c and tun.h files. > > I'm with Giancarlo here,... I use OpenVPN extensively (not on OpenBSD > admittedly - my own embedded BSD variant). > And the man knows what he's talking about when it comes to OpenVPN. > > Really man IF you want help don't douche on the guys trying to help you. I just wanted a simple question to a simple answer. Not the same old "jeez, you should try this instead". > An attitude like that deserves a response akin to "Use the source Luke" and > no more. We all have good and bad days. I've been offering free (hopefully good) advice to these lists for almost 10 years now. I keep my questions brief and my answers concise. Detours piss me off. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 6, 2009 at 10:38 PM, Giancarlo Razzolini wrote: > > Well, i wasn't OT with my reply. And i use openvpn from the beginning of > the project, even made a plugin for it. So i know i little of it. My > suggestion was to avoid what you might be already suspecting. You will have > to mess with openvpn code and recompile it to do what you want. The solution > i suggested is a viable one, even if already have queueing policies on that > interface. It'll only require a little adaptation on your altq rules. I > guess you won't get far with an attitude like that, being rude with people > that are trying to help you. That said, you might want to take a look at > openvpn source code, mainly tun.c and tun.h files. I'm with Giancarlo here,... I use OpenVPN extensively (not on OpenBSD admittedly - my own embedded BSD variant). And the man knows what he's talking about when it comes to OpenVPN. Really man IF you want help don't douche on the guys trying to help you. An attitude like that deserves a response akin to "Use the source Luke" and no more. -- "Opportunity is most often missed by people because it is dressed in overalls and looks like work." Thomas Alva Edison Inventor of 1093 patents, including: The light bulb, phonogram and motion pictures.
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 06:04:19PM -0300, Giancarlo Razzolini wrote: > Jason Dixon escreveu: >> > Well, my rude friend, i guess you'll have to accept my suggestion > because you're simply stuck with it. I shouldn't but, i took a little > time and dove in openvpn source code. This is the piece of code that > does what exactly what you're saying: Or I can continue to reload pf in /etc/rc.local like we currently do. No harm no foul. It's just not elegant. Sorry if you find my demeanor rude. I don't have a lot of patience for tangents when I'm asking a straightforward question and getting horizontal advice instead. New workarounds aren't necessarily better than existing workarounds. I appreciate your digging into the code. That was above and beyond, even if it doesn't really do me any good. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
Jason Dixon escreveu: On Wed, May 06, 2009 at 05:38:51PM -0300, Giancarlo Razzolini wrote: Well, i wasn't OT with my reply. And i use openvpn from the beginning of the project, even made a plugin for it. So i know i little of it. My suggestion was to avoid what you might be already suspecting. You will have to mess with openvpn code and recompile it to do what you want. The solution i suggested is a viable one, even if already have queueing policies on that interface. It'll only require a little adaptation on your altq rules. I guess you won't get far with an attitude like that, being rude with people that are trying to help you. That said, you might want to take a look at openvpn source code, mainly tun.c and tun.h files. Regardless of how much you claim to know about it, the fact remains that there's no way to have OpenVPN bind to an existing tun device. Thanks for the roundabout answer. Well, my rude friend, i guess you'll have to accept my suggestion because you're simply stuck with it. I shouldn't but, i took a little time and dove in openvpn source code. This is the piece of code that does what exactly what you're saying: #elif defined(TARGET_OPENBSD) /* * OpenBSD tun devices appear to be persistent by default. It seems in order * to make this work correctly, we need to delete the previous instance * (if it exists), and re-ifconfig. Let me know if you know a better way. */ argv_printf (&argv, "%s %s destroy", IFCONFIG_PATH, actual); argv_msg (M_INFO, &argv); openvpn_execve_check (&argv, es, 0, NULL); argv_printf (&argv, "%s %s create", IFCONFIG_PATH, actual); argv_msg (M_INFO, &argv); openvpn_execve_check (&argv, es, 0, NULL); msg (M_INFO, "NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure"); /* example: ifconfig tun2 10.2.0.2 10.2.0.1 mtu 1450 netmask 255.255.255.255 up */ if (tun) argv_printf (&argv, "%s %s %s %s mtu %d netmask 255.255.255.255 up", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu ); else argv_printf (&argv, "%s %s %s netmask %s mtu %d broadcast %s link0", IFCONFIG_PATH, actual, ifconfig_local, ifconfig_remote_netmask, tun_mtu, ifconfig_broadcast ); argv_msg (M_INFO, &argv); openvpn_execve_check (&argv, es, S_FATAL, "OpenBSD ifconfig failed"); tt->did_ifconfig = true; Attempt to the comment of the developer. If you change this code, it'll probably break openvpn and it won't work. Either you accept my suggestion, that was a good and viable one, or you change this piece of code. By the way, don't forget to contact James (main openvpn developer), and tell that you have a better way, as he asks in his comment. Bet that wasn't roundabout. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD 4.5 Ubuntu 9.04 Jaunty Jackalope 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
swap(encrypt) vs. vnd
Hello misc@, any one can answer the following question: why codebase used to encrypt/decrypt swap is not used to replace/ complement vnd? Complement, means skip the creation of encrypted image part and work directly with block device. //maxim
Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
It's a bird? No, it's a UFO! No, It's gone! It wasn't link from the main page for a very long time waiting on the author updates, but as it never come, then now deleted! May be a wiki page will show up soon instead, but will see how I fell about it. Don't complain on misc@ for anything wrong there, just send updates. Best, Daniel looptigger wrote: it's ABSOLUTE URL :) On Wed, May 6, 2009 at 7:55 PM, Otto Moerbeek wrote: On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote: It's a website. On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev wrote: subj Nah, it's a URL. -Otto
Re: A new toy for programmers who use VIM on OpenBSD
On 06/05/09 10:43 +0100, Stuart Henderson wrote: > (cc/reply-to set to ports@). > > useful :-) would you be interested in adding some kind of license > (we like /usr/share/misc/license.template, but it's your choice)? > then it could go into ports/packages. > No problem, I'd love to add this license. -- Dasn
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote: > So apparently OpenVPN is a douche of an application by > destroying/recreating any tun devices you ask it to bind to. This > causes havoc with pf/altq if you queue on those tun interfaces. > > I've asked on the openvpn-users mailing list if there's any way to have > OpenVPN avoid teardown of an existing tun(4) interface but nobody had > any useful answers (besides "use the up/down scripts")... yeah, thanks. > Has anyone here used OpenVPN in server mode and overcome this? > How does openvpn destroy the interfaces? IIRC they just close the fd and that is causing the interface to be destroyed if it was auto created. Did you try to "ifconfig tunX up" before starting openvpn? These interfaces will not be auto destroyed on close and remain available. -- :wq Claudio
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 05:38:51PM -0300, Giancarlo Razzolini wrote: > > Well, i wasn't OT with my reply. And i use openvpn from the beginning of > the project, even made a plugin for it. So i know i little of it. My > suggestion was to avoid what you might be already suspecting. You will > have to mess with openvpn code and recompile it to do what you want. The > solution i suggested is a viable one, even if already have queueing > policies on that interface. It'll only require a little adaptation on > your altq rules. I guess you won't get far with an attitude like that, > being rude with people that are trying to help you. That said, you might > want to take a look at openvpn source code, mainly tun.c and tun.h files. Regardless of how much you claim to know about it, the fact remains that there's no way to have OpenVPN bind to an existing tun device. Thanks for the roundabout answer. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
Jason Dixon escreveu: On Wed, May 06, 2009 at 04:29:10PM -0300, Giancarlo Razzolini wrote: Jason Dixon escreveu: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides "use the up/down scripts")... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Well, you don't necessarily need to enable altq on the tun interface to get your packets queued. I did overcome this by making the queue on another interface, a physical one, and then making packets coming or leaving the tun interface to get queued on that interface. This works, and you won't have to deal with the tun interface being destroyed across openvpn starts/stops. You don't understand the usage. We have a remote office with a fixed pipe and *all* of their traffic crossing the VPN tunnel to our office. It's necessary to queue a fraction of the traffic crossing the physical interface for this purpose. We also perform queueing on the physical interface that has a completely different usage model than the VPN tunnel. Please, let's not get off-topic. It's a simple question... can you start OpenVPN without having it destroy/recreate the tun interface. If you haven't used this, please refrain from commenting. Thanks, Well, i wasn't OT with my reply. And i use openvpn from the beginning of the project, even made a plugin for it. So i know i little of it. My suggestion was to avoid what you might be already suspecting. You will have to mess with openvpn code and recompile it to do what you want. The solution i suggested is a viable one, even if already have queueing policies on that interface. It'll only require a little adaptation on your altq rules. I guess you won't get far with an attitude like that, being rude with people that are trying to help you. That said, you might want to take a look at openvpn source code, mainly tun.c and tun.h files. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD 4.5 Ubuntu 9.04 Jaunty Jackalope 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:51:19PM +0400, Vadim Zhukov wrote: > On Wednesday 06 May 2009 23:34:52 Jason Dixon wrote: > > > > I'm specifying "dev tun0". Per the openvpn(8) man page, dev-type > > should only be used "if the TUN/TAP device used with --dev does not > > begin with tun or tap". [ ... ] > 1. Did you tried specifing tunnel type? > > 2. "tap" devices exists on Windows and on Linux, but NOT on OpenBSD. So > OpenVPN cannot determine device type via its name. Both of your questions were answered by my last reply (see above). Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wednesday 06 May 2009 23:34:52 Jason Dixon wrote: > On Wed, May 06, 2009 at 03:21:16PM -0400, Mark Shroyer wrote: > > On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote: > > > So apparently OpenVPN is a douche of an application by > > > destroying/recreating any tun devices you ask it to bind to. This > > > causes havoc with pf/altq if you queue on those tun interfaces. > > > > > > I've asked on the openvpn-users mailing list if there's any way to > > > have OpenVPN avoid teardown of an existing tun(4) interface but > > > nobody had any useful answers (besides "use the up/down > > > scripts")... yeah, thanks. Has anyone here used OpenVPN in server > > > mode and overcome this? > > > > Weird. I ran an OpenVPN server on my OpenBSD gateway until just > > recently, and I'm 98% sure that it never did this to me. Are you > > specifying both "dev-type" and "dev" in the VPN configuration? > > I'm specifying "dev tun0". Per the openvpn(8) man page, dev-type > should only be used "if the TUN/TAP device used with --dev does not > begin with tun or tap". > > Were you actually using altq on your tun device? > > > Actually, that's one thought... are you sure that the "dev-type" > > setting in your OpenVPN configuration file and the configuration of > > your tun(4) device are either both as tun or both as tap? One of > > the things that caught me off-guard about setting up OpenVPN on > > OpenBSD is that OpenBSD's tap interfaces are actually called "tunX", > > they just have the link0 flag set. (So you could properly end up > > with, e.g., "dev-type tap" and "dev tun0" in your OpenVPN > > configuration.) Could be that if OpenVPN expects one type of device > > but gets the other, it automatically destroys and replaces it... > > As mentioned, "dev-type" is unnecessary. We have no problems with > this configuration other than OpenVPN destroying the device at runtime > which causes the file-descriptor to change, confusing pf/altq. 1. Did you tried specifing tunnel type? 2. "tap" devices exists on Windows and on Linux, but NOT on OpenBSD. So OpenVPN cannot determine device type via its name. -- Best wishes, Vadim Zhukov A: Because it messes up the way people read text. Q: Why is a top-posting such a bad thing?
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:43:15PM +0400, Vadim Zhukov wrote: > On Wednesday 06 May 2009 23:18:31 Jason Dixon wrote: > > > > Having OpenVPN create the tun device does me no good. I'd still have > > to re-load pf/altq after the file descriptor is created. > > Strange, I do not have such problem. But I'm not using altq there, > just some block/allow and NAT... Could you post your OpenVPN config? Right, this only really manifests with altq on tun(4). There's no point to pasting my config, but I'll include most of it here so you don't think I'm jerking your chain. ;) # local x.x.x.9 port 1194 proto udp dev tun0 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key dh /etc/openvpn/keys/dh1024.pem crl-verify /etc/openvpn/crl.pem tls-auth /etc/openvpn/keys/ta.key 0 client-config-dir /etc/openvpn/ccd server 192.168.210.0 255.255.255.0 ifconfig-pool-persist /etc/openvpn/ipp.txt 86400 push "route 10.0.116.0 255.255.254.0" keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status /etc/openvpn/openvpn-status.log verb 3 management 127.0.0.1 7505 # -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wednesday 06 May 2009 23:18:31 Jason Dixon wrote: > On Wed, May 06, 2009 at 11:14:21PM +0400, Vadim Zhukov wrote: > > On Wednesday 06 May 2009 21:39:15 Jason Dixon wrote: > > > On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote: > > > > On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: > > > > > So apparently OpenVPN is a douche of an application by > > > > > destroying/recreating any tun devices you ask it to bind to. > > > > > This causes havoc with pf/altq if you queue on those tun > > > > > interfaces. > > > > > > > > > > I've asked on the openvpn-users mailing list if there's any > > > > > way to have OpenVPN avoid teardown of an existing tun(4) > > > > > interface but nobody had any useful answers (besides "use the > > > > > up/down scripts")... yeah, thanks. Has anyone here used > > > > > OpenVPN in server mode and overcome this? > > > > > > > > See "persist-tun" option. > > > > > > This only affects restarts, not the initial startup. > > > > The idea is that you pre-create tun device (possibly in startup > > script, or in /etc/rc.local) and then OpenVPN uses it. > > You're missing the point. I create the necessary tun devices at boot > with hostname.tun* so that we get no pf/altq load errors. But as soon > as OpenVPN runs from rc.local, it destroys the tun device and > recreates it. This breaks altq because the file descriptor > (/dev/tun*) changes. > > Having OpenVPN create the tun device does me no good. I'd still have > to re-load pf/altq after the file descriptor is created. Strange, I do not have such problem. But I'm not using altq there, just some block/allow and NAT... Could you post your OpenVPN config? Mine looks like this: remote vpn.some.net 1194 proto tcp-client resolv-retry infinite persist-tun dev tun2 dev-type tap pull ifconfig-noexec up "/etc/openvpn/some.up" (parameters related to authentication are excluded). "Up" script just runs ifconfig for configuring (not [re-]creating) tun device. -- Best wishes, Vadim Zhukov A: Because it messes up the way people read text. Q: Why is a top-posting such a bad thing?
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 04:29:10PM -0300, Giancarlo Razzolini wrote: > Jason Dixon escreveu: >> So apparently OpenVPN is a douche of an application by >> destroying/recreating any tun devices you ask it to bind to. This >> causes havoc with pf/altq if you queue on those tun interfaces. >> >> I've asked on the openvpn-users mailing list if there's any way to have >> OpenVPN avoid teardown of an existing tun(4) interface but nobody had >> any useful answers (besides "use the up/down scripts")... yeah, thanks. >> Has anyone here used OpenVPN in server mode and overcome this? >> > Well, you don't necessarily need to enable altq on the tun interface to > get your packets queued. I did overcome this by making the queue on > another interface, a physical one, and then making packets coming or > leaving the tun interface to get queued on that interface. This works, > and you won't have to deal with the tun interface being destroyed across > openvpn starts/stops. You don't understand the usage. We have a remote office with a fixed pipe and *all* of their traffic crossing the VPN tunnel to our office. It's necessary to queue a fraction of the traffic crossing the physical interface for this purpose. We also perform queueing on the physical interface that has a completely different usage model than the VPN tunnel. Please, let's not get off-topic. It's a simple question... can you start OpenVPN without having it destroy/recreate the tun interface. If you haven't used this, please refrain from commenting. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
Jason Dixon escreveu: So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides "use the up/down scripts")... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Thanks, Well, you don't necessarily need to enable altq on the tun interface to get your packets queued. I did overcome this by making the queue on another interface, a physical one, and then making packets coming or leaving the tun interface to get queued on that interface. This works, and you won't have to deal with the tun interface being destroyed across openvpn starts/stops. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD 4.5 Ubuntu 9.04 Jaunty Jackalope 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 03:21:16PM -0400, Mark Shroyer wrote: > On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote: > > So apparently OpenVPN is a douche of an application by > > destroying/recreating any tun devices you ask it to bind to. This > > causes havoc with pf/altq if you queue on those tun interfaces. > > > > I've asked on the openvpn-users mailing list if there's any way to have > > OpenVPN avoid teardown of an existing tun(4) interface but nobody had > > any useful answers (besides "use the up/down scripts")... yeah, thanks. > > Has anyone here used OpenVPN in server mode and overcome this? > > Weird. I ran an OpenVPN server on my OpenBSD gateway until just > recently, and I'm 98% sure that it never did this to me. Are you > specifying both "dev-type" and "dev" in the VPN configuration? I'm specifying "dev tun0". Per the openvpn(8) man page, dev-type should only be used "if the TUN/TAP device used with --dev does not begin with tun or tap". Were you actually using altq on your tun device? > Actually, that's one thought... are you sure that the "dev-type" > setting in your OpenVPN configuration file and the configuration of your > tun(4) device are either both as tun or both as tap? One of the things > that caught me off-guard about setting up OpenVPN on OpenBSD is that > OpenBSD's tap interfaces are actually called "tunX", they just have the > link0 flag set. (So you could properly end up with, e.g., "dev-type > tap" and "dev tun0" in your OpenVPN configuration.) Could be that if > OpenVPN expects one type of device but gets the other, it automatically > destroys and replaces it... As mentioned, "dev-type" is unnecessary. We have no problems with this configuration other than OpenVPN destroying the device at runtime which causes the file-descriptor to change, confusing pf/altq. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
Why are all of you dwelling on the subject of this message? Clearly, the body of the message refers to the important part: subj I don't have an answer to subj, but one of the bad ass developers MUST know! Chris Bennett looptigger wrote: it's ABSOLUTE URL :) On Wed, May 6, 2009 at 7:55 PM, Otto Moerbeek wrote: On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote: It's a website. On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev wrote: subj Nah, it's a URL. -Otto -- A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects. -- Robert Heinlein
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:14:21PM +0400, Vadim Zhukov wrote: > On Wednesday 06 May 2009 21:39:15 Jason Dixon wrote: > > On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote: > > > On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: > > > > So apparently OpenVPN is a douche of an application by > > > > destroying/recreating any tun devices you ask it to bind to. This > > > > causes havoc with pf/altq if you queue on those tun interfaces. > > > > > > > > I've asked on the openvpn-users mailing list if there's any way to > > > > have OpenVPN avoid teardown of an existing tun(4) interface but > > > > nobody had any useful answers (besides "use the up/down > > > > scripts")... yeah, thanks. Has anyone here used OpenVPN in server > > > > mode and overcome this? > > > > > > See "persist-tun" option. > > > > This only affects restarts, not the initial startup. > > The idea is that you pre-create tun device (possibly in startup script, > or in /etc/rc.local) and then OpenVPN uses it. You're missing the point. I create the necessary tun devices at boot with hostname.tun* so that we get no pf/altq load errors. But as soon as OpenVPN runs from rc.local, it destroys the tun device and recreates it. This breaks altq because the file descriptor (/dev/tun*) changes. Having OpenVPN create the tun device does me no good. I'd still have to re-load pf/altq after the file descriptor is created. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 11:20:43AM -0400, Jason Dixon wrote: > So apparently OpenVPN is a douche of an application by > destroying/recreating any tun devices you ask it to bind to. This > causes havoc with pf/altq if you queue on those tun interfaces. > > I've asked on the openvpn-users mailing list if there's any way to have > OpenVPN avoid teardown of an existing tun(4) interface but nobody had > any useful answers (besides "use the up/down scripts")... yeah, thanks. > Has anyone here used OpenVPN in server mode and overcome this? Weird. I ran an OpenVPN server on my OpenBSD gateway until just recently, and I'm 98% sure that it never did this to me. Are you specifying both "dev-type" and "dev" in the VPN configuration? Actually, that's one thought... are you sure that the "dev-type" setting in your OpenVPN configuration file and the configuration of your tun(4) device are either both as tun or both as tap? One of the things that caught me off-guard about setting up OpenVPN on OpenBSD is that OpenBSD's tap interfaces are actually called "tunX", they just have the link0 flag set. (So you could properly end up with, e.g., "dev-type tap" and "dev tun0" in your OpenVPN configuration.) Could be that if OpenVPN expects one type of device but gets the other, it automatically destroys and replaces it... If that doesn't work, maybe you could try replacing the "dev" line in your configuration with an equivalent "dev-node" line, just for the heck of it. Just a couple random shots in the dark, anyway. -- Mark Shroyer http://markshroyer.com/contact/
Re: OpenVPN destroys tun
On Wednesday 06 May 2009 21:39:15 Jason Dixon wrote: > On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote: > > On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: > > > So apparently OpenVPN is a douche of an application by > > > destroying/recreating any tun devices you ask it to bind to. This > > > causes havoc with pf/altq if you queue on those tun interfaces. > > > > > > I've asked on the openvpn-users mailing list if there's any way to > > > have OpenVPN avoid teardown of an existing tun(4) interface but > > > nobody had any useful answers (besides "use the up/down > > > scripts")... yeah, thanks. Has anyone here used OpenVPN in server > > > mode and overcome this? > > > > See "persist-tun" option. > > This only affects restarts, not the initial startup. The idea is that you pre-create tun device (possibly in startup script, or in /etc/rc.local) and then OpenVPN uses it. -- Best wishes, Vadim Zhukov A: Because it messes up the way people read text. Q: Why is a top-posting such a bad thing?
Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
it's ABSOLUTE URL :) On Wed, May 6, 2009 at 7:55 PM, Otto Moerbeek wrote: > On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote: > > > It's a website. > > > > On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev > wrote: > > > subj > > Nah, it's a URL. > >-Otto
Re: DHCP versus PPPoE for ADSL.
Ignore my question re inet6 wildcards. Asked and answered. From: Stuart Henderson > I think you're "supposed" to do rtsol, but we don't support that on a > device configured as a router. There is afaik no IPv6 address discovery > mechanism done by PPP. Best wishes.
Re: OT: 10GbE Physical Network Taps
openbsd misc wrote: >NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. That would be DSD rather than ASIO, I think. (Since we are already wildly off-topic.) -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: OpenVPN destroys tun
On Wed, May 06, 2009 at 08:48:06PM +0400, Vadim Zhukov wrote: > On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: > > So apparently OpenVPN is a douche of an application by > > destroying/recreating any tun devices you ask it to bind to. This > > causes havoc with pf/altq if you queue on those tun interfaces. > > > > I've asked on the openvpn-users mailing list if there's any way to > > have OpenVPN avoid teardown of an existing tun(4) interface but nobody > > had any useful answers (besides "use the up/down scripts")... yeah, > > thanks. Has anyone here used OpenVPN in server mode and overcome this? > > See "persist-tun" option. This only affects restarts, not the initial startup. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: DHCP versus PPPoE for ADSL.
From: Stuart Henderson > I just added the address assigned to me into hostname.pppoe0: > inet6 2001:4b10:1002:ff::1 64 > !/sbin/route add -inet6 default 2001:4b10:1002:ff::1 Hi Stuart. Thanks for all the help. I am curious, in pppoe(4) this example is given: inet 0.0.0.0 255.255.255.255 NONE \ pppoedev ne0 authproto pap \ authname 'testcaller' authkey 'donttell' up dest 0.0.0.1 !/sbin/route add default -ifp pppoe0 0.0.0.1 So the destination wildcard is used as the route entry. You have used the IP6 address assigned to your interface rather than the remote IP6 address. I must be missing something. Can you shine a light on that for me? Also, considering my ISP is very reticent (for whatever reason) to provide support for IPv6 do you have any idea of the wildcards for inet6? Getting IP addresses out of them is proving problematic. I suspect they are ready but haven't got to the point for large scale implementation. I would rather suck it and see than get support mail referring me to Wikipedia. Best wishes.
Re: OT: 10GbE Physical Network Taps
Diana Eichert wrote: [...] > AKA what kind of money you have to throw at it. Isn't that always the case? ;) > Ours was the 2nd or third built, you could still get to > the FPGA with Xilinx development tools. A grad student, Jonathon > Donaldson, working in our organization used it > in the work he did for his thesis. If you are > interested it is available here, > https://ritdml.rit.edu/dspace/bitstream/1850/4769/1/JDonaldsonThesis05-2007.p df *print*, looks like a good read for the train coming up next ;) Greets, Jeroen [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OT: 10GbE Physical Network Taps
On Wed, 6 May 2009, Jeroen Massar wrote: SNIP it just depends on what kind of hardware one throws at it ;) Greets, Jeroen (long live IPSEC :) AKA what kind of money you have to throw at it. We had a 10G box that filtered on SNORT rules in hardware. We purchased it from MetaNetworks, who were bought out by Force10. The product page is here, http://www.force10networks.com/products/pseries.asp . Ours was the 2nd or third built, you could still get to the FPGA with Xilinx development tools. A grad student, Jonathon Donaldson, working in our organization used it in the work he did for his thesis. If you are interested it is available here, https://ritdml.rit.edu/dspace/bitstream/1850/4769/1/JDonaldsonThesis05-2007.pdf diana
Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
On Wed, May 06, 2009 at 12:33:02PM -0400, Ted Unangst wrote: > It's a website. > > On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev > wrote: > > subj Nah, it's a URL. -Otto
Re: OT: 10GbE Physical Network Taps
Diana Eichert wrote: > On Wed, 6 May 2009, openbsd misc wrote: > >> On Wed, May 6, 2009 at 3:42 PM, Diana Eichert >> wrote: >> >>> We use physical taps at work, when I get the chance I'll take a look at >>> the vendor. >>> >>> Also, you really think you can capture 10GE? Chuckle, good luck. Pretty hard, but doable with special hardware according to some people (eg not me, not my toys, just forwarding what I read about/know) DAG cards come to mind: http://www.endace.com/dag-network-monitoring-cards.html which you can stick into most hosts, they sell various 10GE adapters and claim it can do 10GE too. Linux/Windows/FreeBSD drivers available, thus should not be too hard I guess to make an OpenBSD driver (that is depending on documentation available etc...) They claim to be able to even do 40Gbps: http://www.endace.com/guaranteed-packet-capture.html 8< This foundation is totally agnostic, supporting Ethernet and Packet-Over-SONET (PoS), IP and InfiniBand, guaranteeing packet capture, regardless of packet rate and size, at interface speeds up to 40Gbps. >8 And I know for a fact that IBM ISS has a DPI thing which can do 40Gbps++, that is including upto Level 7 analysis... it just depends on what kind of hardware one throws at it ;) Greets, Jeroen (long live IPSEC :) [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: OT: 10GbE Physical Network Taps
openbsd misc wrote: On Wed, May 6, 2009 at 3:42 PM, Diana Eichert wrote: On Wed, 6 May 2009, J.C. Roberts wrote: I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber links, so most of the typical methods are out of the question (i.e. like bridging, SPAN sessions on a switch, ...). As far as my understanding allows, I believe the best way to do this is with a physical network tap connected to monitoring equipment. I figure folks running/maintaining OpenBSD firewalls might be familiar with using physical network taps for deploying IDS/IPS since using bridges on such systems is a "Bad Idea" (R)(TM). I've found one company [1] which offers what I need, but I was wondering if anyone can recommend a vendor of physical network taps? Thanks, jcr [1] http://www.networktaps.com/products/index.html -- J.C. Roberts JC We use physical taps at work, when I get the chance I'll take a look at the vendor. Also, you really think you can capture 10GE? Chuckle, good luck. note that he wants "to collect raw throughput statistics" and doesn't explicitly say dump all the traffic to disk. if he wanted to dump the entire pipe to disk it would require > 10 COTS machines and load balancing. diana NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. i'd be more worried about the NBA, those dudes are huge and are known to roll with guns in sweatpants. jc is just trying to find a way to get traffic statistics, likely in relation to his earlier 'remotely connected disk' discussion. move along, nothing to see here. I can't see any black helicopters and my Tin Foil hat fits fine thanks for asking.
Re: OpenVPN destroys tun
On Wednesday 06 May 2009 19:20:43 Jason Dixon wrote: > So apparently OpenVPN is a douche of an application by > destroying/recreating any tun devices you ask it to bind to. This > causes havoc with pf/altq if you queue on those tun interfaces. > > I've asked on the openvpn-users mailing list if there's any way to > have OpenVPN avoid teardown of an existing tun(4) interface but nobody > had any useful answers (besides "use the up/down scripts")... yeah, > thanks. Has anyone here used OpenVPN in server mode and overcome this? > > Thanks, See "persist-tun" option. -- Best wishes, Vadim Zhukov A: Because it messes up the way people read text. Q: Why is a top-posting such a bad thing?
Re: ypldap and ldaps
On Wed, May 6, 2009 at 4:51 PM, Vasiliy Kiryanov wrote: > I would want to use ypldap with our ldap server that work over ssl. > The problem is how to change ypldap.conf to work with ldaps. Hello, I took this as a base : http://kerneltrap.org/index.php?q=mailarchive/openbsd-misc/2008/10/11/3589614/thread I remember successfully linking to my ldap server over SSL but cannot check it now (test server and currently off). Maybe some other people can expand on that. The only remaining problem as far as i can see is that one user cannot login using that system if he is not in the passwd file (which makes it slightly redundant then). If I am mistaken about that point, I'd happily like to be corrected and shown the way. Cheers, Steph
Re: OT: 10GbE Physical Network Taps
We use NetOptics taps. diana
Re: Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
It's a website. On Wed, May 6, 2009 at 11:55 AM, Alexandr Knyazev wrote: > subj
Re: OT: 10GbE Physical Network Taps
On Wed, 6 May 2009, openbsd misc wrote: On Wed, May 6, 2009 at 3:42 PM, Diana Eichert wrote: We use physical taps at work, when I get the chance I'll take a look at the vendor. Also, you really think you can capture 10GE? Chuckle, good luck. diana NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. I can't see any black helicopters and my Tin Foil hat fits fine thanks for asking. Yeah, and I'm sure JC has equivalent resources of the acronym laden institutions you mention. Do you have any idea how they capture packets at line rate? I strongly doubt they are using off the shelf hardware, but hey what would I know, I'm just a girl. I'm sure you can piss a further stream than I can so I leave the pissing match to you. diana
Re: X won't work
On Wed, May 06, 2009 at 04:06:42AM -0400, x x wrote: > it's an old Intel video on Inspiron from 2003. I already uncommented > machdep.allowaperture=2, and when I type startx I get > > xauth: creating new authority file /root/.serverauth.24871 without even looking past the ring stall, that's an 845. force XAA mode and you'll be ok. it's an intel driver bug. -- All I ask is a chance to prove that money can't make me happy.
Re: help with getting kernel/userland back in sync
I'll answer my own question. It seems it's not a problem of the kernel and userland being out of sync, but rather /sbin/sysctl was hosed too. rebuilt and problem disappeared. I'm guessing that either I had some junk in /usr/obj/sbin or the patch instructions for libssl need to mention doing a "make clean" after "cd ../../sbin". Rob Urban Robert Urban wrote: > Hi Folks, > > I recently upgraded a 4.4 system to 4.5. I followed the Upgrade Guide, not > using > sysmerge. The upgrade went more-or-less ok. After that, I wanted to install > the five patches on the 4.5 errata page. > > I copied src.tar.gz and sys.tar.gz (for v4.5) from a mirror, unpacked them in > /usr/src, applied the first patch (libssl) and my make failed at some point > with > errors. I removed the /usr/src tree, and created it again from scratch. > > I tried the make again (without applying patch) and it failed again, so I > concluded I need to sync with CVS. This seems weird. I would have thought > the > src/sys tars would be clean... > > I updated the tree from CVS using: > > cd /usr/src && cvs up -r OPENBSD_4_5_BASE -Pd > > as documented in release(8). > > I repeated my attempt to make libssl, which was successful. I applied the > rest > of the patches, (aucat and 3 kernel patches), built a new kernel (GENERIC.MP), > installed it, and rebooted. > > First I had to figure out that /sbin/ifconfig was hosed and rebuilt it. (it > got > hosed/installed when I did the "make install" for /usr/src/sbin after building > libssl. I'm not sure why.) > > Now I get the following messages at boot (10 repetitions): > > sysctl: fourth level name dad_pending in net.inet6.ip6.dad_pending is invalid > > which is in the v4.5 /etc/netstart script. According to a mail from Stuard > Henderson, this means my kernel and userland are out of sync. It's not clear > to > me how this could be, as /etc/netstart is v4.5 and the src/sys sources I used > also. > > Can someone shed some light on this problem? > > thanks, > > Rob Urban
ypldap and ldaps
Hello community. I would want to use ypldap with our ldap server that work over ssl. The problem is how to change ypldap.conf to work with ldaps. I will appreciate any ideas. thanks.
Hey, what is it http://www.openbsdsupport.org/obsd_php_mysql.html
subj
Re: how to configure Grub 0.97 for booting my OpenBSD 4.5
On 5/6/09 5:07 PM, Feifei (??) wrote: > The Grub version is distributed with the Ubuntu 8.04 which is installed in > (hd0,6) > > How to resolve it? > Use the chainloader to call the OpenBSD bootloader. Something like: |title OpenBSD root (hd0,a) makeactive chainloader +1 ciao Luca |
Re: HD 'Analysis'
2009/5/6, Steve Shockley : > The self-tests take the drive offline while they run, right? Do you No. man smartctl Best Martin
help with getting kernel/userland back in sync
Hi Folks, I recently upgraded a 4.4 system to 4.5. I followed the Upgrade Guide, not using sysmerge. The upgrade went more-or-less ok. After that, I wanted to install the five patches on the 4.5 errata page. I copied src.tar.gz and sys.tar.gz (for v4.5) from a mirror, unpacked them in /usr/src, applied the first patch (libssl) and my make failed at some point with errors. I removed the /usr/src tree, and created it again from scratch. I tried the make again (without applying patch) and it failed again, so I concluded I need to sync with CVS. This seems weird. I would have thought the src/sys tars would be clean... I updated the tree from CVS using: cd /usr/src && cvs up -r OPENBSD_4_5_BASE -Pd as documented in release(8). I repeated my attempt to make libssl, which was successful. I applied the rest of the patches, (aucat and 3 kernel patches), built a new kernel (GENERIC.MP), installed it, and rebooted. First I had to figure out that /sbin/ifconfig was hosed and rebuilt it. (it got hosed/installed when I did the "make install" for /usr/src/sbin after building libssl. I'm not sure why.) Now I get the following messages at boot (10 repetitions): sysctl: fourth level name dad_pending in net.inet6.ip6.dad_pending is invalid which is in the v4.5 /etc/netstart script. According to a mail from Stuard Henderson, this means my kernel and userland are out of sync. It's not clear to me how this could be, as /etc/netstart is v4.5 and the src/sys sources I used also. Can someone shed some light on this problem? thanks, Rob Urban
OpenVPN destroys tun
So apparently OpenVPN is a douche of an application by destroying/recreating any tun devices you ask it to bind to. This causes havoc with pf/altq if you queue on those tun interfaces. I've asked on the openvpn-users mailing list if there's any way to have OpenVPN avoid teardown of an existing tun(4) interface but nobody had any useful answers (besides "use the up/down scripts")... yeah, thanks. Has anyone here used OpenVPN in server mode and overcome this? Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
Re: RES: Migration from IPTABLES to PF
On Wed, May 6, 2009 02:41, TomC!E! BodE>C!r wrote: > I think,that in case of pf is good start point this site > http://home.nuug.no/~peter/pf/ and then FAQ parts it always helps me to read https://calomel.org/ when in doubt. :) (the new photo looks cool also =] ) matheus > 2009/5/5 William Chivers : >> Hello Ricardo, >> >> This is not a beginners' mailing list, people here expect questions to >> 1. be very specific, and >> 2. demonstrate that you have spent a lot of time trying to solve the >> problem > yourself, reading the documentation etc. >> >> Start with http://www.openbsd.org/faq/pf/index.html >> If you still need help, there are several books on pf, for example "The >> Book > of PF" (http://nostarch.com/pf.htm). >> >> Look back through the misc mailing list to see how specific questions >> about > pf are. When you have a specific question, the best help available is > right > here. >> >> Bill >> >> - >> William J. Chivers >> Lecturer in Information Technology >> School of DCIT >> Faculty of Science and Information Technology >> University of Newcastle---Ourimbah Campus >> PO Box 127, Ourimbah, NSW 2259 >> Australia >> CRICOS Provider Number: 00109J >> >> phone: B +61 2 4349 4473 >> fax: B B +61 2 4349 4565 >> email: B william.chiv...@newcastle.edu.au >> - > Ricardo Augusto de Souza 05/06/09 5:08 > AM >> Thanks for this 'polite' reply. >> As I Said i spent some years away from Unix/Linux world, >> I worked with business intelligence this years. >> Now i AM back to network administration and B i got this Project to B >> do. >> I used openbsd before version 3. I do like B it. >> >> This is my current senario. >> - B 2 firewalls with 2 carp+pfsync that B Will handle 2 internet > connections, B 1 >> mpls connection, 1 lan to handle around 60 bus company that transport 2 >> million users per Day, each user has your own myfair card. Each bus has >> a >> system that store this data in a file. This files Will be imported to > Oracle >> later. After this import, there are a lot of specific applications that > uses >> this informations. >> - behind this 2 firewalls B we have around 30 servers: ( most Windows) > iis, >> file transfer servers,ws, and some other servers like some red hat > enterprise >> running Oracle 10g. >> - at the beginning the firewalls Will do Nat B + filter B + gateway + > mpd5+squid >> ( the fucking operators Who need Access to the Windows servers were >> surfing > on >> web from there. ) >> - our applications has around 5,000 users per Day, but we have a lot of >> web >> services and some etl process ( i dont have statistics about volume yet) >> >> So that B is it. >> >> >> -Mensagem original- >> De: William Chivers [mailto:william.chiv...@newcastle.edu.au] >> Enviada em: segunda-feira, 4 de maio de 2009 22:46 >> Para: Ricardo Augusto de Souza; misc@openbsd.org >> Assunto: Re: Migration from IPTABLES to PF >> >> This is a great advertisement for OpenBSD, PF, and keeping things simple >> in >> general, mind if I use it Ricardo? >> >> As for your original question, I wouldn't even try to convert your > iptables, >> especially using some magic tool to do it. Decide what you want your > firewall >> to do and start from scratch with PF. That way you will know it is >> working > and >> you will be able to maintain it reliably. >> >> Cheers, Bill >> >> >> - >> William J. Chivers >> Lecturer in Information Technology >> School of DCIT >> Faculty of Science and Information Technology >> University of Newcastle---Ourimbah Campus >> PO Box 127, Ourimbah, NSW 2259 >> Australia >> CRICOS Provider Number: 00109J >> >> phone: B +61 2 4349 4473 >> fax: B B +61 2 4349 4565 >> email: B william.chiv...@newcastle.edu.au >> - > Ricardo Augusto de Souza 05/05/09 3:17 > AM > >> Hi, >> >> I have a firewall running on a Fedora Core 4 (STentz) with iptables. The > Guy >> Who installed it left our company some months ago. >> I spent some years far from iptables, now i have to migrate this >> firewall > to >> PF. >> THere are some 'special' features on this firewall, B i need some >> documentation >> or help about implementing this features at new firewall ( PF ). >> >> This is the iptables scripts: >> >> #!/bin/bash >> FW=/sbin/iptables >> LOAD=/sbin/modprobe >> #__ >> >> # Carregando Modulo do IPTABLES >> . /etc/rc.d/init.d/prodata/fw_modulos >> >> # Carregando Variaveis >> . /etc/rc.d/init.d/prodata/fw_variaveis >> >> if [ $KERNEL = "sim" ] >> B then . /etc/rc.d/init.d/prodata/fw_kernel >> fi >> >> > #___ >> # Cria politicas de LOGs >> > #___ >> >> if [ $LOGS = "sim" ] >> B then
Re: Installboot to usb drive?
At 08:28 PM 5/5/2009 -0400, you wrote: You are (probably) changing from sd0 to wd0, but that only messes up your /etc/fstab file. Good point! Usual error is to forget that "boot" specified on the installboot command line is not the one in the installboot directory or your current root partition, but rather the /boot that exists on the root partition of the target drive (i.e., the "boot" you WILL use, not the one that you already used). Confirmed. Here is what worked: First problem, I missed the '/mnt' for boot: /usr/mdec/installboot -v /mnt/boot /usr/mdec/biosboot wd0 I used both sd0 and wd0 to make sure it would work, .. both indicated 'cross-device install'? Am I correct that the boot *device* specified should be wd0, when the drive will be physically used as bootable? Thansk! Lee
how to configure Grub 0.97 for booting my OpenBSD 4.5
Hi, guys, I just install the OpenBSD 4.5, but my grub configuration can't boot it. Before that, I use OpenBSD 4.2, it is a new installation, not upgrade. The OpenBSD slice is in (hd0,2),when I use the OpenBSD 4.2, I use chainloader to boot it: root (hd0,a) makeactive chainloader +1 - It works well with the OpenBSD 4.2, But , if I use it to boot 4.5, I only get a error : Starting up ... Loading ... ERR M if i use this configuration to boot it : root (hd0,a) kernel --type=openbsd /bsd boot The screen will show me as these below: , <0x200120:0x5c299c:0x102bc8>, shtab=0x8c6140Strating up ... panic: /boot too old: upgrade! Stopped at 0xd0499848: leave (null) (0,d071a8df, d078c44, d08c7f74, 8c6000) at 0xd0499848 (null) (d0717582,d08c7f74,d08c7f9c,d049d101,0) at 0xd0363085 (null) (8cd000) at 0xd049d415 Run at least 'trace' and 'ps' and include output when reporting this panic! don't even bother reporting this without including that inforamtion! ddb> After run "trace", get the same result : (null) (0,d071a8df, d078c44, d08c7f74, 8c6000) at 0xd0499848 (null) (d0717582,d08c7f74,d08c7f9c,d049d101,0) at 0xd0363085 (null) (8cd000) at 0xd049d415 After run ps, the result is null. The Grub version is distributed with the Ubuntu 8.04 which is installed in (hd0,6) How to resolve it? Thanks.
Re: OpenBGPD transparent-as issue
On Wed, May 06, 2009 at 07:20:58AM -0700, Tom Martin wrote: > Thnx for your fast reply. > It works very well and saved us a lot of configuration time! By the way do > you know why this isn't nescesary by using Quagga? (A little bit off topic, > but I am just wondering). > They don't know sane defaults. We try to help people get good -- a bit paranoid -- default config while other projects and vendors believe in that every system must behave like a Cizzzcoee so that CCIE are not lost. -- :wq Claudio
Re: OT: 10GbE Physical Network Taps
On Wed, May 6, 2009 at 3:42 PM, Diana Eichert wrote: > On Wed, 6 May 2009, J.C. Roberts wrote: > >> I need to collect raw throughput statistics without increasing latency >> or reducing bandwidth on 10GbE fiber links, so most of the typical >> methods are out of the question (i.e. like bridging, SPAN sessions on a >> switch, ...). As far as my understanding allows, I believe the best way >> to do this is with a physical network tap connected to monitoring >> equipment. I figure folks running/maintaining OpenBSD firewalls might >> be familiar with using physical network taps for deploying IDS/IPS since >> using bridges on such systems is a "Bad Idea" (R)(TM). >> >> I've found one company [1] which offers what I need, but I was wondering >> if anyone can recommend a vendor of physical network taps? >> >> Thanks, >> jcr >> >> >> [1] http://www.networktaps.com/products/index.html >> >> -- >> J.C. Roberts > > JC > > We use physical taps at work, when I get the chance I'll take a look at > the vendor. > > Also, you really think you can capture 10GE? Chuckle, good luck. > > diana > > NSA,MI(x)/GCHQ,ASIO and their vendor friends would beg to differ. I can't see any black helicopters and my Tin Foil hat fits fine thanks for asking.
Re: Mplayer problem with new dualhead setup
I seem to have this fixed now. I changed my .xinitrc to specify modes AND positions explicitly, getting rid of --left-of stuff. Now the problem is gone. Chris Bennett wrote: I just installed a Radeon 9700 in dualhead. That is working fine as far as I can tell. I am getting what looks like flashes of diagonal text when playing a video in youtube. Goes away if I leave video screen. Sound is unaffected. Using scrotwm. i386, recent -current Chris Bennett OpenBSD 4.5-current (GENERIC) #85: Mon Apr 20 23:51:01 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III ("GenuineIntel" 686-class, 128KB L2 cache) 899 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536375296 (511MB) avail mem = 510328832 (486MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/19/01, BIOS32 rev. 0 @ 0xfb0c0, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: vendor Award Software International, Inc. version "6.00 PG" date 12/19/2001 bios0: LEGEND.QDI(R) SynactiX5EP apm0 at bios0: Power Management spec V1.2 (slowidle) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xb540 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfded0/192 (10 entries) pcibios0: PCI Exclusive IRQs: 5 9 11 12 pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371SB ISA" rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0xd000 0xd/0x4000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) extent `pciio' (0x0 - 0x), flags=0 0xa000 - 0xd01f 0xd800 - 0xd81f 0xf000 - 0xf00f extent `pcimem' (0x0 - 0x), flags=0 0x0 - 0x9 0xf - 0x1fff 0xd000 - 0xe8ff 0xffb0 - 0x pchb0 at pci0 dev 0 function 0 "Intel 82815 Host" rev 0x04 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xe000, size 0x240 ppb0 at pci0 dev 1 function 0 "Intel 82815 AGP" rev 0x04 pci1 at ppb0 bus 1 mem address conflict 0xd000/0x800 mem address conflict 0xd800/0x800 extent `ppb0 pciio' (0x0 - 0x), flags=0 0x0 - 0xc0ff 0xd000 - 0x extent `ppb0 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe3ff 0xe500 - 0xe501 0xe600 - 0x vga1 at pci1 dev 0 function 0 "ATI Radeon 9500/9700" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: irq 5 drm0 at radeondrm0 "ATI Radeon 9500/9700 Sec" rev 0x00 at pci1 dev 0 function 1 not configured ppb1 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x05 pci2 at ppb1 bus 2 extent `ppb1 pciio' (0x0 - 0x), flags=0 0x0 - 0xb03f 0xb400 - 0xb407 0xc000 - 0x extent `ppb1 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe80047ff 0xe900 - 0x ppb2 at pci2 dev 11 function 0 "IBM 82351 PCI-PCI" rev 0x01 pci3 at ppb2 bus 3 extent `ppb2 pciio' (0x0 - 0x), flags=0 0x0 - 0xa00f 0xa400 - 0xa40f 0xb000 - 0x extent `ppb2 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe5ff 0xe700 - 0xe70f 0xe7001000 - 0xe700100f 0xe800 - 0x tl0 at pci3 dev 0 function 0 "Compaq DP Netelligent 10/100TX" rev 0x10: irq 11 address 00:08:c7:5d:a2:8f nsphy0 at tl0 phy 1: DP83840 10/100 PHY, rev. 1 ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 0x100014, model 0x0001 tl1 at pci3 dev 1 function 0 "Compaq DP Netelligent 10/100TX" rev 0x10: irq 12 address 00:08:c7:5d:a2:0f nsphy1 at tl1 phy 1: DP83840 10/100 PHY, rev. 1 ukphy1 at tl1 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 0x100014, model 0x0001 emu0 at pci2 dev 14 function 0 "Creative Labs SoundBlaster Audigy" rev 0x04: irq 9 ac97: codec id 0x83847650 (SigmaTel STAC9750/51) ac97: codec features headphone, 20 bit DAC, 20 bit ADC, SigmaTel 3D audio0 at emu0 "Creative Labs SoundBlaster Audigy Digital" rev 0x04 at pci2 dev 14 function 1 not configured "Creative Labs Firewire" rev 0x04 at pci2 dev 14 function 2 not configured ichpcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x05: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x05: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors wd1 at pciide0 channel 0 drive 1: wd1: 16-sector PIO, LBA, 4112MB, 8421840 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x05: irq 11 uhci1 at pci0 dev 31 function 4 "Intel 82801BA USB" rev 0x05: irq 11 isa0 at ichpcib0 isad
Re: OT: 10GbE Physical Network Taps
On Wed, 6 May 2009, J.C. Roberts wrote: I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber links, so most of the typical methods are out of the question (i.e. like bridging, SPAN sessions on a switch, ...). As far as my understanding allows, I believe the best way to do this is with a physical network tap connected to monitoring equipment. I figure folks running/maintaining OpenBSD firewalls might be familiar with using physical network taps for deploying IDS/IPS since using bridges on such systems is a "Bad Idea" (R)(TM). I've found one company [1] which offers what I need, but I was wondering if anyone can recommend a vendor of physical network taps? Thanks, jcr [1] http://www.networktaps.com/products/index.html -- J.C. Roberts JC We use physical taps at work, when I get the chance I'll take a look at the vendor. Also, you really think you can capture 10GE? Chuckle, good luck. diana
Re: [dera...@cvs.openbsd.org: Re: I would like to send this to misc@ and security-announce@, from me.]
> > e.g. ftp://mirrors.nic.funet.fi/ftp.openbsd.org/pub/OpenBSD/ > > I'll make a bulk check of the mirrors that haven't got 4.5 yet > sometime soon and remind them to update their rsync inclusion > lists. I'll give it a bit longer because some are probably > still trying to fetch the release. > And there is a big difference between a mirror that is behind, and a mirror that is providing you with something that is not what it purports to be.
Re: OpenBGPD transparent-as issue
Thnx for your fast reply. It works very well and saved us a lot of configuration time! By the way do you know why this isn't nescesary by using Quagga? (A little bit off topic, but I am just wondering). Henning Brauer wrote: > > * Tom Martin [2009-05-06 15:41]: >> May 6 17:00:01 openBSD4-5 bgpd[5747]: neighbor 192.168.113.100 (test.4): >> received notification: error in UPDATE message, AS-Path unacceptable >> >> At the client side we see a fatal error: >> >> Apr 6 17:00:05 bsd bgpd[24969]: neighbor 192.168.113.1 (test): state >> change >> Established -> Idle, reason: Fatal error >> >> When we use quagga as client the session is doing fine on both sides, >> even >> with community filters. When we are using OpenBGPD we keep facing this >> message until we are removing the following line: transparent-as yes. Is >> this a comment problem, or is this a bad configuration of us? > > bad config on the client side - must use > enforce neighbor-as no > > OpenBGPD enforces that AS Pathes from a neighbor begin with his AS by > default. If the neighbor is a transparent route-server, that is - of > course - not the case. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > > -- View this message in context: http://n2.nabble.com/OpenBGPD-transparent-as-issue-tp2815387p2816439.html Sent from the OpenBSD Misc mailing list archive at Nabble.com.
Re: OpenBGPD transparent-as issue
* Tom Martin [2009-05-06 15:41]: > May 6 17:00:01 openBSD4-5 bgpd[5747]: neighbor 192.168.113.100 (test.4): > received notification: error in UPDATE message, AS-Path unacceptable > > At the client side we see a fatal error: > > Apr 6 17:00:05 bsd bgpd[24969]: neighbor 192.168.113.1 (test): state change > Established -> Idle, reason: Fatal error > > When we use quagga as client the session is doing fine on both sides, even > with community filters. When we are using OpenBGPD we keep facing this > message until we are removing the following line: transparent-as yes. Is > this a comment problem, or is this a bad configuration of us? bad config on the client side - must use enforce neighbor-as no OpenBGPD enforces that AS Pathes from a neighbor begin with his AS by default. If the neighbor is a transparent route-server, that is - of course - not the case. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: OT: 10GbE Physical Network Taps
Hello jcr, Not quite sure if this would meet your needs, but you could look at anue systems : http://www.anuesystems.com Cheers, Simon. On Wed May 6 13:33 , "J.C. Roberts" sent: I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber links, so most of the typical methods are out of the question (i.e. like bridging, SPAN sessions on a switch, ...). As far as my understanding allows, I believe the best way to do this is with a physical network tap connected to monitoring equipment. I figure folks running/maintaining OpenBSD firewalls might be familiar with using physical network taps for deploying IDS/IPS since using bridges on such systems is a "Bad Idea" (R)(TM). I've found one company [1] which offers what I need, but I was wondering if anyone can recommend a vendor of physical network taps? Thanks, jcr [1] http://www.networktaps.com/products/index.html -- J.C. Roberts - FC% din egen, gratis e-postadresse pC% Start.no
OpenBGPD transparent-as issue
Hi all, At the moment we are running some tests to use OpenBGPD as a Route-server instead of using Quagga. The first tests are very positive, but we are facing one major problem. We tried our solution on OpenBSD 4.4 as well under 4.5. When we made one route-server, which means that we remove the private AS to al the neighbors, and this not working under OpenBGPD. The route-server can easily make an connection to a lot of quagga/cisco routers, but when a OpenBGPD client wants to join we are facing the following error on the server side: May 6 17:00:01 openBSD4-5 bgpd[5747]: neighbor 192.168.113.100 (test.4): received notification: error in UPDATE message, AS-Path unacceptable At the client side we see a fatal error: Apr 6 17:00:05 bsd bgpd[24969]: neighbor 192.168.113.1 (test): state change Established -> Idle, reason: Fatal error When we use quagga as client the session is doing fine on both sides, even with community filters. When we are using OpenBGPD we keep facing this message until we are removing the following line: transparent-as yes. Is this a comment problem, or is this a bad configuration of us? Configuration route-server: #macros ASN="64512" peer1="192.168.113.2" AS1="64513" peer2="192.168.113.3" AS2="64514" peer3="192.168.113.4" AS3="64515" peer4="192.168.113.100" AS4="64516" peer5="192.168.113.101" AS5="65534" # global configuration router-id 192.168.113.1 AS $ASN log updates transparent-as yes # network 10.0.1.0/24 neighbor $peer1 { remote-as $AS1 descr test.1 announceall max-prefix 100 restart 300 softreconfigin yes # tcp md5sig key deadbeef } neighbor $peer2 { remote-as $AS2 descr test.2 announceall softreconfigin yes max-prefix 100 restart 1 } neighbor $peer3 { remote-as $AS3 descr test.3 announceall softreconfigin yes max-prefix 100 restart 300 } neighbor $peer4 { remote-as $AS4 descr test.4 local-address 192.168.113.1 holdtime180 holdtime min3 announceall softreconfigin yes #max-prefix 100 restart 300 } neighbor $peer5 { remote-as $AS5 descr test.5 announceall softreconfigin yes max-prefix 100 restart 300 } # filter out prefixes longer than 24 or shorter than 8 bits deny from any allow from any inet prefixlen 8 - 24 # Filter the general prefixes # deny to any community *:* # allow to any community 64512:64512 # Filter the per-peer prefixes allow to $peer1 community $ASN:neighbor-as deny to $peer1 community 0:neighbor-as allow to $peer2 community $ASN:neighbor-as deny to $peer2 community 0:neighbor-as allow to $peer3 community $ASN:neighbor-as deny to $peer3 community 0:neighbor-as allow to $peer4 community $ASN:neighbor-as deny to $peer4 community 0:neighbor-as Easy configuration of a client: AS 64516 router-id 192.168.113.100 # log updates network 3.3.3.0/24 neighbor 192.168.113.1 { remote-as 64512 descr test local-address 192.168.113.100 holdtime180 holdtime min3 announceall max-prefix 100 restart 300 softreconfigin yes } Thanks in advance! Tom Martin -- View this message in context: http://n2.nabble.com/OpenBGPD-transparent-as-issue-tp2815387p2815387.html Sent from the OpenBSD Misc mailing list archive at Nabble.com.
Mplayer problem with new dualhead setup
I just installed a Radeon 9700 in dualhead. That is working fine as far as I can tell. I am getting what looks like flashes of diagonal text when playing a video in youtube. Goes away if I leave video screen. Sound is unaffected. Using scrotwm. i386, recent -current Chris Bennett OpenBSD 4.5-current (GENERIC) #85: Mon Apr 20 23:51:01 MDT 2009 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III ("GenuineIntel" 686-class, 128KB L2 cache) 899 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 536375296 (511MB) avail mem = 510328832 (486MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 12/19/01, BIOS32 rev. 0 @ 0xfb0c0, SMBIOS rev. 2.3 @ 0xf0800 (38 entries) bios0: vendor Award Software International, Inc. version "6.00 PG" date 12/19/2001 bios0: LEGEND.QDI(R) SynactiX5EP apm0 at bios0: Power Management spec V1.2 (slowidle) apm0: AC on, battery charge unknown acpi at bios0 function 0x0 not configured pcibios0 at bios0: rev 2.1 @ 0xf/0xb540 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfded0/192 (10 entries) pcibios0: PCI Exclusive IRQs: 5 9 11 12 pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371SB ISA" rev 0x00) pcibios0: PCI bus #3 is the last bus bios0: ROM list: 0xc/0xd000 0xd/0x4000! cpu0 at mainbus0: (uniprocessor) pci0 at mainbus0 bus 0: configuration mode 1 (bios) extent `pciio' (0x0 - 0x), flags=0 0xa000 - 0xd01f 0xd800 - 0xd81f 0xf000 - 0xf00f extent `pcimem' (0x0 - 0x), flags=0 0x0 - 0x9 0xf - 0x1fff 0xd000 - 0xe8ff 0xffb0 - 0x pchb0 at pci0 dev 0 function 0 "Intel 82815 Host" rev 0x04 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xe000, size 0x240 ppb0 at pci0 dev 1 function 0 "Intel 82815 AGP" rev 0x04 pci1 at ppb0 bus 1 mem address conflict 0xd000/0x800 mem address conflict 0xd800/0x800 extent `ppb0 pciio' (0x0 - 0x), flags=0 0x0 - 0xc0ff 0xd000 - 0x extent `ppb0 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe3ff 0xe500 - 0xe501 0xe600 - 0x vga1 at pci1 dev 0 function 0 "ATI Radeon 9500/9700" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: irq 5 drm0 at radeondrm0 "ATI Radeon 9500/9700 Sec" rev 0x00 at pci1 dev 0 function 1 not configured ppb1 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x05 pci2 at ppb1 bus 2 extent `ppb1 pciio' (0x0 - 0x), flags=0 0x0 - 0xb03f 0xb400 - 0xb407 0xc000 - 0x extent `ppb1 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe80047ff 0xe900 - 0x ppb2 at pci2 dev 11 function 0 "IBM 82351 PCI-PCI" rev 0x01 pci3 at ppb2 bus 3 extent `ppb2 pciio' (0x0 - 0x), flags=0 0x0 - 0xa00f 0xa400 - 0xa40f 0xb000 - 0x extent `ppb2 pcimem' (0x0 - 0x), flags=0 0x0 - 0xe5ff 0xe700 - 0xe70f 0xe7001000 - 0xe700100f 0xe800 - 0x tl0 at pci3 dev 0 function 0 "Compaq DP Netelligent 10/100TX" rev 0x10: irq 11 address 00:08:c7:5d:a2:8f nsphy0 at tl0 phy 1: DP83840 10/100 PHY, rev. 1 ukphy0 at tl0 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 0x100014, model 0x0001 tl1 at pci3 dev 1 function 0 "Compaq DP Netelligent 10/100TX" rev 0x10: irq 12 address 00:08:c7:5d:a2:0f nsphy1 at tl1 phy 1: DP83840 10/100 PHY, rev. 1 ukphy1 at tl1 phy 31: Generic IEEE 802.3u media interface, rev. 5: OUI 0x100014, model 0x0001 emu0 at pci2 dev 14 function 0 "Creative Labs SoundBlaster Audigy" rev 0x04: irq 9 ac97: codec id 0x83847650 (SigmaTel STAC9750/51) ac97: codec features headphone, 20 bit DAC, 20 bit ADC, SigmaTel 3D audio0 at emu0 "Creative Labs SoundBlaster Audigy Digital" rev 0x04 at pci2 dev 14 function 1 not configured "Creative Labs Firewire" rev 0x04 at pci2 dev 14 function 2 not configured ichpcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x05: 24-bit timer at 3579545Hz pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x05: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility wd0 at pciide0 channel 0 drive 0: wd0: 16-sector PIO, LBA48, 190782MB, 390721968 sectors wd1 at pciide0 channel 0 drive 1: wd1: 16-sector PIO, LBA, 4112MB, 8421840 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 wd1(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x05: irq 11 uhci1 at pci0 dev 31 function 4 "Intel 82801BA USB" rev 0x05: irq 11 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckb
Re: no init scripts, what is the best way to start dnsmasq
Mark Shroyer wrote: > On Tue, May 05, 2009 at 02:11:57PM +0200, Coert Waagmeester wrote: >> I have installed dnsmasq on OpenBSD. >> >> What is the best way to start it? Should I start it >> from /etc/rc.securelevel, or rc.local? > It's best not to think of this in terms of SysV-style init scripts. In > OpenBSD, shell commands in /etc/rc.local get run at boot time, so all > you have to do is put some command in there to launch dnsmasq in any > fashion that you see fit. So it would suffice to simply add a line with > "/usr/local/sbin/dnsmasq"; however, for consistency with the way things > are launched in /etc/rc, I generally do something like the following: > > ,--- /etc/rc.local --- > if [ X"${dnsmasq_flags-NO}" != X"NO" -a -x /usr/local/sbin/dnsmasq ]; then ^^^ Ooh how lovely to see someone else doin this! :-) For the archives - if used consequently, this way makes it amazingly easy to start only certain services via /etc/rc.local; e.g. $ sudo dnsmasq_flags= sh /etc/rc.local while $ sudo sh /etc/rc.local would not start anything (well, unless you have stupid names for the variables in your /etc.rc that matches eported variables from the shell and sudo is set up to pass these on. That should not be the case very often) /Alexander > echo -n ' dnsmasq'; /usr/local/sbin/dnsmasq ${dnsmasq_flags} > fi > `- > > ,--- /etc/rc.conf.local -- > dnsmasq_flags= > `- > > This way, if you want to temporarily disable dnsmasq, you can simply > remove the line in rc.conf.local or change it to "dnsmasq_flags=NO".
Re: X won't work
On Wed, 06 May 2009 04:06:42 -0400 (EDT) "x x" wrote: > it's an old Intel video on Inspiron from 2003. I already uncommented > machdep.allowaperture=2, and when I type startx I get easy answer: Search the archives easier answer: xorg.conf DEVICE section Option "AccelMethod" "XXA" Option "DDC2" "false" -- J.C. Roberts
OT: 10GbE Physical Network Taps
I need to collect raw throughput statistics without increasing latency or reducing bandwidth on 10GbE fiber links, so most of the typical methods are out of the question (i.e. like bridging, SPAN sessions on a switch, ...). As far as my understanding allows, I believe the best way to do this is with a physical network tap connected to monitoring equipment. I figure folks running/maintaining OpenBSD firewalls might be familiar with using physical network taps for deploying IDS/IPS since using bridges on such systems is a "Bad Idea" (R)(TM). I've found one company [1] which offers what I need, but I was wondering if anyone can recommend a vendor of physical network taps? Thanks, jcr [1] http://www.networktaps.com/products/index.html -- J.C. Roberts
Re: X won't work
May this is not the case but it might be possible to have many instances of the server ending with the same error. Try killing all instances, and then try again. If there are many instances, trying to start another one merely fails because there already exists /tmp/.X0-lock >From the bottom of the error message it seems it is a lock problem. And then again may be this is not the case. --- On Wed, 5/6/09, x x wrote: > From: x x > Subject: X won't work > To: misc@openbsd.org > Date: Wednesday, May 6, 2009, 1:06 AM > it's an old Intel video on Inspiron from 2003. I already > uncommented > machdep.allowaperture=2, and when I type startx I get > > xauth: creating new authority file /root/.serverauth.24871 > > X.Org X Server 1.5.3 > Release Date: 5 November 2008 > X Protocol Version 11, Revision 0 > Build Operating System: OpenBSD 4.5 i386 > Current Operating System: OpenBSD lengsel.vc.shawcable.net > 4.5 GENERIC#0 > i386 > Build Date: 05 May 2009 03:10:16PM > > Before reporting problems, check http://wiki.x.org > to make sure that you have the latest version. > Markers: (--) probed, (**) from config file, (==) default > setting, > (++) from command line, (!!) notice, (II) informational, > (WW) warning, (EE) error, (NI) not implemented, (??) > unknown. > (==) Log file: "/var/log/Xorg.0.log", Time: Tue > May 5 18:00:43 2009 > (EE) Unable to locate/open config file > New driver is "intel" > (==) Using default built-in configuration (30 lines) > (EE) Failed to load module "fbdev" (module does > not exist, 0) > Error in I830WaitLpRing(), timeout for 2 seconds > pgetbl_ctl: 0x1ffe0001 getbl_err: 0x0021 > ipeir: 0x iphdr: 0x54f6 > LP ring tail: 0x9fe0 head: 0xa000 len: 0x0001f001 > start > 0x > eir: 0x esr: 0x0010 emr: 0xff7b > instdone: 0xff41 instpm: 0x > memmode: 0x instps: 0x0820 > hwstam: 0xeffe ier: 0x0042 imr: 0xffbf iir: 0x > Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count > 32760 > Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count > 32760 > 9f00: MI_NOOP 1 > 9f04: MI_NOOP 1 > 9f08: MI_NOOP 1 > 9f0c: MI_NOOP 1 > 9f10: MI_NOOP 1 > 9f14: MI_NOOP 1 > 9f18: MI_NOOP 1 > 9f1c: MI_NOOP 1 > 9f20: MI_NOOP 1 > 9f24: MI_NOOP 1 > 9f28: MI_NOOP 1 > 9f2c: MI_NOOP 1 > 9f30: MI_NOOP 1 > 9f34: MI_NOOP 1 > 9f38: MI_NOOP 1 > 9f3c: MI_NOOP 1 > 9f40: MI_NOOP 1 > 9f44: MI_NOOP 1 > 9f48: MI_NOOP 1 > 9f4c: MI_NOOP 1 > 9f50: MI_NOOP 1 > 9f54: MI_NOOP 1 > 9f58: MI_NOOP 1 > 9f5c: MI_NOOP 1 > 9f60: MI_NOOP 1 > 9f64: MI_NOOP 1 > 9f68: MI_NOOP 1 > 9f6c: MI_NOOP 1 > 9f70: MI_NOOP 1 > 9f74: MI_NOOP 1 > 9f78: MI_NOOP 1 > 9f7c: MI_NOOP 1 > 9f80: MI_NOOP 1 > 9f84: MI_NOOP 1 > 9f88: MI_NOOP 1 > 9f8c: MI_NOOP 1 > 9f90: MI_NOOP 1 > 9f94: MI_NOOP 1 > 9f98: MI_NOOP 1 > 9f9c: MI_NOOP 1 > 9fa0: MI_NOOP 1 > 9fa4: MI_NOOP 1 > 9fa8: MI_NOOP 1 > 9fac: MI_NOOP 1 > 9fb0: MI_NOOP 1 > 9fb4: MI_NOOP 1 > 9fb8: MI_NOOP 1 > 9fbc: MI_NOOP 1 > 9fc0: MI_NOOP 1 > 9fc4: MI_NOOP 1 > 9fc8: MI_NOOP 1 > 9fcc: MI_NOOP 1 > 9fd0: MI_NOOP 1 > 9fd4: MI_NOOP 1 > 9fd8: MI_NOOP 1 > 9fdc: MI_NOOP 1 > 9fe0: MI_NOOP 1 > 9fe4: MI_NOOP 1 > 9fe8: MI_NOOP 1 > 9fec: MI_NOOP 1 > 9ff0: MI_NOOP 1 > 9ff4: MI_NOOP 1 > 9ff8: MI_NOOP 1 > 9ffc: MI_NOOP 1 > Ring end > space: 24 wanted 32 > > Fatal server error: > lockup > > giving up. > xinit: Connection refused (errno 61): unable to connect to > X server > xinit: No such process (errno 3): Server error.
Re: HD 'Analysis'
On 5/5/2009 11:49 AM, L. V. Lammert wrote: Some good options, .. seems like all are DOS, however !! I guess that's no big deal if you're rebooting for the analysis, but it does not seem 'right'! No, they have a Windows version of Victoria! Personally, I use these kinds of utilities to see if a drive is worth saving, when I can do destructive tests. For example I "recovered" a 250gb disk from an XServe RAID that i use as a second drive in my work desktop. SMART reports 300 reallocation events, but no matter what I do that doesn't increase. I use it for temporary storage for easy-to-replace data.
Re: HD 'Analysis'
On 5/5/2009 12:50 PM, Josi Quinteiro wrote: First thing I do with a new hard drive is run a long self-test using smartctl. If it passes it gets added to the system. I have smartd set to do a daily short self-test and a weekly long self-test on every drive. Replace any drives that start to show errors. The self-tests take the drive offline while they run, right? Do you unmount them first, or is the system okay just waiting until the drive responds?
Re: route(8) delete - need a little help
On Tuesday 05 May 2009 20.23.06 Claudio Jeker wrote: > On Tue, May 05, 2009 at 01:27:21PM +0200, LEVAI Daniel wrote: > > Hi! > > > > I have this in my route table: > > 10/8 link#1 UC 50 - 4 > > em0 10/8 UGS0 1072 - 8 > > tun1 > > > > How can I delete only the first line, the route with the em0 device? > > So far I can only execute this: > > # route delete 10/8 > > > > But this is too ambigious. > > > > I thought of something like this: > > # route delete 10/8 -dev em0 > > but of course this will not gonna happen. > You've assigned an address on 10/8 to em0. Delete that address from > the interface if you don't want to have that route. (If you're trying > to have 10/8 on both ends of a tunnel then you need to back up and > rethink what you're trying to do.) > [...] > > ifconfig em0 delete > > because this is a interface route and not deletable by route(8) > unless you know the magic and the consequences. Thanks Claudio and Philip. Now I see. Daniel -- LIVAI Daniel PGP key ID = 0x4AC0A4B1 Key fingerprint = D037 03B9 C12D D338 4412 2D83 1373 917A 4AC0 A4B1
Re: A new toy for programmers who uses VIM on OpenBSD
(cc/reply-to set to ports@). useful :-) would you be interested in adding some kind of license (we like /usr/share/misc/license.template, but it's your choice)? then it could go into ports/packages. On 2009/05/06 09:01, Dasn wrote: > Hi guys, I wrote a toy which builds communications between VIM and > debuggers. The tool's main function is tracing the instruction pointer > in VIM while we debugging the program. That should be similar to Emacs's > Gud, I suppose. :) > > Here it is: > http://lrc.sf.net/bride-0.1.1.tar.gz > > And some screen shots: > http://lrc.sf.net/shot1.jpg > http://lrc.sf.net/shot2.jpg > > "make && make install" will do all the jobs for you. > For more info, see ":h Bride" in VIM. > > As the development just begins, it currently only supports two > debuggers: 'gdb' and 'pdb' (python's debugger), and was only tested on > OpenBSD. > > Any comments are appreciated. > > I'm not on misc@, please Cc me, thanks. > > -- > Dasn
Re: 4.5 - strange performance issue
I can confirm the problem, but it was not an X problem only...everything was slow. The problem was that my interrupts were up to 82.9%. Disabled acpiprt and acpimadt in the kernel and it all works ok. On Wed, May 6, 2009 at 11:35 AM, Andrei GUDIU wrote: > > Try to enable EXA and play with Option "MigrationHeuristic" "greedy" > > > > I can confirm this solved my X problem. And it was really really a slow X. > I added > >Option "AccelMethod" "EXA" >Option "MigrationHeuristic" "greedy" > > in Section "Device".
Re: 4.5 - strange performance issue
> Try to enable EXA and play with Option "MigrationHeuristic" "greedy" > I can confirm this solved my X problem. And it was really really a slow X. I added Option "AccelMethod" "EXA" Option "MigrationHeuristic" "greedy" in Section "Device".
Re: No OpenBSD for Lenovo Thinkpad w500 4058CTO
Hi Nick, On Tue, 2009-05-05 at 09:48 -0400, Nick Guenther wrote: > Your disks aren't showing up in dmesg. Try tweaking your BIOS > settings--i know that I had to change from IDE emulation to AHCI when > I upgraded to 4.5. That did the trick. Thanks. I'm hoping to replace my current GNOME desktop with an OpenBSD-based one, so I can keep more in touch with this excellent little system;). Bill > On 05/05/2009, Bill Maas wrote: > > Hi, > > > > First, and just for the record: while trying to set up an FTP server on > > OpenBSD 4.2 I got this error message while trying to connect by any > > other address than 'localhost': > > > > 421 Service not available, remote server has closed connection. > > > > Reason, it turned out: a missing entry in /etc/hosts.allow. I had a hard > > time finding anything relevant out there, so now at least the relation > > between the error message and the missing entry is documented. > > > > > > The reason I needed an FTP server is that I'm trying to install OpenBSD > > 4.5 on a Lenovo Thinkpad W500 model 4058-CTO, with no success. With obsd > > 4.4 it never got past hardware initialization, with 4.5 at least I get > > the installer menu, but no for long: > > > > [...] > > Proceed with install? [n] y > > [...] > > > > No disks found > > # > > > > And no, I don't expect developers to _scramble to their laptops_ just > > because I as an OpenBSD user am _entitled to have this fixed ASAP_ and > > stuff like that. I was at least happy to see that the Fathers of OpenBSD > > in their infinite wisdom decided to use plain ftp for downloading > > packages, and not some custom-built single-purpose > > binary-installer-builtin, so I could at least get a dmesg off the box (I > > didn't manage to get a screen capture over USB). > > > > The output from the 'dmesg' command run from the shell commandline is > > listed below. I'm only an "index" list member, but feel free to contact > > me offlist if you need more info. I'll be happy to help testing any > > updates. And I'll be following any replies through the archives of > > course. > > > > An otherwise very happy OpenBSD user, > > > > > > Bill > > > > > > dmesg: > > -- > > OpenBSD 4.5 (RAMDISK_CD) #1112: Sat Feb 28 15:06:26 MST 2009 > > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/RAMDISK_CD > > cpu0: Intel(R) Core(TM)2 Duo CPU T9400 @ 2.53GHz ("GenuineIntel" > > 686-class) 2.53 GHz > > cpu0: > > FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,SSE3,MWAIT,DS-CPL,VMX,SMX,EST,TM2,CX16,xTPR > > real mem = 3214176256 (3065MB) > > avail mem = 3115958272 (2971MB) > > mainbus0 at root > > bios0 at mainbus0: AT/286+ BIOS, date 09/24/08, BIOS32 rev. 0 @ 0xfdc80, > > SMBIOS rev. 2.4 @ 0xe0010 (74 entries) > > bios0: vendor LENOVO version "6FET46WW (1.16 )" date 09/24/2008 > > bios0: LENOVO 4058CTO > > acpi0 at bios0: rev 2 > > acpi0: tables DSDT FACP SSDT ECDT APIC MCFG HPET SLIC BOOT ASF! SSDT > > SSDT SSDT SSDT SSDT > > acpimadt0 at acpi0 addr 0xfee0: PC-AT compat > > cpu0 at mainbus0: apid 0 (boot processor) > > cpu0: apic clock running at 265MHz > > cpu at mainbus0: not configured > > ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 24 pins > > ioapic0: misconfigured as apic 2, remapped to apid 1 > > acpiprt0 at acpi0: bus 0 (PCI0) > > acpiprt1 at acpi0: bus 1 (AGP_) > > acpiprt2 at acpi0: bus 2 (EXP0) > > acpiprt3 at acpi0: bus 3 (EXP1) > > acpiprt4 at acpi0: bus -1 (EXP2) > > acpiprt5 at acpi0: bus 5 (EXP3) > > acpiprt6 at acpi0: bus 13 (EXP4) > > acpiprt7 at acpi0: bus 21 (PCI1) > > bios0: ROM list: 0xc/0xfc00 0xd/0x1000 0xd1000/0x1000 > > 0xd2000/0x1000 0xde000/0x1800! 0xe/0x1 > > pci0 at mainbus0 bus 0: configuration mode 1 (bios) > > pchb0 at pci0 dev 0 function 0 "Intel GM45 Host" rev 0x07 > > ppb0 at pci0 dev 1 function 0 "Intel GM45 PCIE" rev 0x07: apic 1 int 16 > > (irq 11) > > pci1 at ppb0 bus 1 > > vga1 at pci1 dev 0 function 0 "ATI Mobility Radeon HD 3650" rev 0x00 > > wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) > > "Intel GM45 HECI" rev 0x07 at pci0 dev 3 function 0 not configured > > em0 at pci0 dev 25 function 0 "Intel ICH9 IGP M AMT" rev 0x03: apic 1 > > int 20 (irq 11), address 00:1c:25:97:34:61 > > uhci0 at pci0 dev 26 function 0 "Intel 82801I USB" rev 0x03: apic 1 int > > 20 (irq 11) > > uhci1 at pci0 dev 26 function 1 "Intel 82801I USB" rev 0x03: apic 1 int > > 21 (irq 11) > > uhci2 at pci0 dev 26 function 2 "Intel 82801I USB" rev 0x03: apic 1 int > > 22 (irq 11) > > ehci0 at pci0 dev 26 function 7 "Intel 82801I USB" rev 0x03: apic 1 int > > 23 (irq 11) > > usb0 at ehci0: USB revision 2.0 > > uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1 > > "Intel 82801I HD Audio" rev 0x03 at pci0 dev 27 function 0 not > > configured > > ppb1 at pci0 dev 28 function 0 "Intel 82801I PCIE" rev 0x03: apic 1 int > > 20 (irq 11) > > pci2 at ppb
X won't work
it's an old Intel video on Inspiron from 2003. I already uncommented machdep.allowaperture=2, and when I type startx I get xauth: creating new authority file /root/.serverauth.24871 X.Org X Server 1.5.3 Release Date: 5 November 2008 X Protocol Version 11, Revision 0 Build Operating System: OpenBSD 4.5 i386 Current Operating System: OpenBSD lengsel.vc.shawcable.net 4.5 GENERIC#0 i386 Build Date: 05 May 2009 03:10:16PM Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (==) Log file: "/var/log/Xorg.0.log", Time: Tue May 5 18:00:43 2009 (EE) Unable to locate/open config file New driver is "intel" (==) Using default built-in configuration (30 lines) (EE) Failed to load module "fbdev" (module does not exist, 0) Error in I830WaitLpRing(), timeout for 2 seconds pgetbl_ctl: 0x1ffe0001 getbl_err: 0x0021 ipeir: 0x iphdr: 0x54f6 LP ring tail: 0x9fe0 head: 0xa000 len: 0x0001f001 start 0x eir: 0x esr: 0x0010 emr: 0xff7b instdone: 0xff41 instpm: 0x memmode: 0x instps: 0x0820 hwstam: 0xeffe ier: 0x0042 imr: 0xffbf iir: 0x Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count 32760 Ring at virtual 0x8bd7d000 head 0xa000 tail 0x9fe0 count 32760 9f00: MI_NOOP 1 9f04: MI_NOOP 1 9f08: MI_NOOP 1 9f0c: MI_NOOP 1 9f10: MI_NOOP 1 9f14: MI_NOOP 1 9f18: MI_NOOP 1 9f1c: MI_NOOP 1 9f20: MI_NOOP 1 9f24: MI_NOOP 1 9f28: MI_NOOP 1 9f2c: MI_NOOP 1 9f30: MI_NOOP 1 9f34: MI_NOOP 1 9f38: MI_NOOP 1 9f3c: MI_NOOP 1 9f40: MI_NOOP 1 9f44: MI_NOOP 1 9f48: MI_NOOP 1 9f4c: MI_NOOP 1 9f50: MI_NOOP 1 9f54: MI_NOOP 1 9f58: MI_NOOP 1 9f5c: MI_NOOP 1 9f60: MI_NOOP 1 9f64: MI_NOOP 1 9f68: MI_NOOP 1 9f6c: MI_NOOP 1 9f70: MI_NOOP 1 9f74: MI_NOOP 1 9f78: MI_NOOP 1 9f7c: MI_NOOP 1 9f80: MI_NOOP 1 9f84: MI_NOOP 1 9f88: MI_NOOP 1 9f8c: MI_NOOP 1 9f90: MI_NOOP 1 9f94: MI_NOOP 1 9f98: MI_NOOP 1 9f9c: MI_NOOP 1 9fa0: MI_NOOP 1 9fa4: MI_NOOP 1 9fa8: MI_NOOP 1 9fac: MI_NOOP 1 9fb0: MI_NOOP 1 9fb4: MI_NOOP 1 9fb8: MI_NOOP 1 9fbc: MI_NOOP 1 9fc0: MI_NOOP 1 9fc4: MI_NOOP 1 9fc8: MI_NOOP 1 9fcc: MI_NOOP 1 9fd0: MI_NOOP 1 9fd4: MI_NOOP 1 9fd8: MI_NOOP 1 9fdc: MI_NOOP 1 9fe0: MI_NOOP 1 9fe4: MI_NOOP 1 9fe8: MI_NOOP 1 9fec: MI_NOOP 1 9ff0: MI_NOOP 1 9ff4: MI_NOOP 1 9ff8: MI_NOOP 1 9ffc: MI_NOOP 1 Ring end space: 24 wanted 32 Fatal server error: lockup giving up. xinit: Connection refused (errno 61): unable to connect to X server xinit: No such process (errno 3): Server error.
Re: RES: Migration from IPTABLES to PF
TomC!E!, thanks for the tip Bill - William J. Chivers Lecturer in Information Technology School of DCIT Faculty of Science and Information Technology University of Newcastle---Ourimbah Campus PO Box 127, Ourimbah, NSW 2259 Australia CRICOS Provider Number: 00109J phone: +61 2 4349 4473 fax: +61 2 4349 4565 email: william.chiv...@newcastle.edu.au - >>> TomC!E! BodE>C!r 05/06/09 3:41 PM >>> I think,that in case of pf is good start point this site http://home.nuug.no/~peter/pf/ and then FAQ parts 2009/5/5 William Chivers : > Hello Ricardo, > > This is not a beginners' mailing list, people here expect questions to > 1. be very specific, and > 2. demonstrate that you have spent a lot of time trying to solve the problem yourself, reading the documentation etc. > > Start with http://www.openbsd.org/faq/pf/index.html > If you still need help, there are several books on pf, for example "The Book of PF" (http://nostarch.com/pf.htm). > > Look back through the misc mailing list to see how specific questions about pf are. When you have a specific question, the best help available is right here. > > Bill > > - > William J. Chivers > Lecturer in Information Technology > School of DCIT > Faculty of Science and Information Technology > University of Newcastle---Ourimbah Campus > PO Box 127, Ourimbah, NSW 2259 > Australia > CRICOS Provider Number: 00109J > > phone: +61 2 4349 4473 > fax: +61 2 4349 4565 > email: william.chiv...@newcastle.edu.au > - Ricardo Augusto de Souza 05/06/09 5:08 AM >>> > Thanks for this 'polite' reply. > As I Said i spent some years away from Unix/Linux world, > I worked with business intelligence this years. > Now i AM back to network administration and i got this Project to do. > I used openbsd before version 3. I do like it. > > This is my current senario. > - 2 firewalls with 2 carp+pfsync that Will handle 2 internet connections, 1 > mpls connection, 1 lan to handle around 60 bus company that transport 2 > million users per Day, each user has your own myfair card. Each bus has a > system that store this data in a file. This files Will be imported to Oracle > later. After this import, there are a lot of specific applications that uses > this informations. > - behind this 2 firewalls we have around 30 servers: ( most Windows) iis, > file transfer servers,ws, and some other servers like some red hat enterprise > running Oracle 10g. > - at the beginning the firewalls Will do Nat + filter + gateway + mpd5+squid > ( the fucking operators Who need Access to the Windows servers were surfing on > web from there. ) > - our applications has around 5,000 users per Day, but we have a lot of web > services and some etl process ( i dont have statistics about volume yet) > > So that is it. > > > -Mensagem original- > De: William Chivers [mailto:william.chiv...@newcastle.edu.au] > Enviada em: segunda-feira, 4 de maio de 2009 22:46 > Para: Ricardo Augusto de Souza; misc@openbsd.org > Assunto: Re: Migration from IPTABLES to PF > > This is a great advertisement for OpenBSD, PF, and keeping things simple in > general, mind if I use it Ricardo? > > As for your original question, I wouldn't even try to convert your iptables, > especially using some magic tool to do it. Decide what you want your firewall > to do and start from scratch with PF. That way you will know it is working and > you will be able to maintain it reliably. > > Cheers, Bill > > > - > William J. Chivers > Lecturer in Information Technology > School of DCIT > Faculty of Science and Information Technology > University of Newcastle---Ourimbah Campus > PO Box 127, Ourimbah, NSW 2259 > Australia > CRICO> email: william.chiv...@newcastle.edu.au > - Ricardo Augusto de Souza 05/05/09 3:17 AM > Hi, > > I have a firewall running on a Fedora Core 4 (STentz) with iptables. The Guy > Who installed it left our company some months ago. > I spent some years far from iptables, now i have to migrate this firewall to > PF. > THere are some 'special' features on this firewall, i need some > documentation > or help about implementing this features at new firewall ( PF ). > > This is the iptables scripts: > > #!/bin/bash > FW=/sbin/iptables > LOAD=/sbin/modprobe > #__ > > # Carregando Modulo do IPTABLES > . /etc/rc.d/init.d/prodata/fw_modulos > > # Carregando Variaveis > . /etc/rc.d/init.d/prodata/fw_variaveis > > if [ $KERNEL = "sim" ] > then . /etc/rc.d/init.d/prodata/fw_kernel > fi > > #___ > # Cria politicas de LOGs > #___ > > if [ $LOGS
Re: internal vs. external microphone: very different signal levels
On May 05 22:30:26, Jacob Meuser wrote: > On Tue, May 05, 2009 at 09:17:52PM +0200, Jan Stary wrote: > > On Apr 25 22:23:21, Jacob Meuser wrote: > > > On Sat, Apr 25, 2009 at 01:15:33PM +0200, Jan Stary wrote: > > > > Hi all, > > > > > > > > I am doing some trivial sound-recording on my Compaq Armada 110 laptop > > > > (dmesg and mixerctl below). The sound device is > > > > > > > > auvia0 at pci0 dev 7 function 5 "VIA VT82C686 AC97" rev 0x20: irq 9 > > > > audio0 at auvia0 > > > > > > for ac97 devices, the codec is also very important. although the > > > AD1881A looks pretty standard. no jack sense or anything. > > > > > > > and it works without problems. > > > > > > > > Now, the laptop has an internal microphone - that tiny little hole > > > > you have seen on some laptops. It records fine, set up as > > > > > > > > inputs.mic=255 > > > > inputs.mic.mute=off > > > > inputs.mic.preamp=on > > > > inputs.mic.source=mic0 > > > > record.source=mic > > > > > > > > The laptop also has an input for an external mike (the usual small jack, > > > > just next to the headphones output). When you plug in an external mike, > > > > the audio chip is smart enough to record from that one, and no longer > > > > record from the internal mike. (I use Shure SM57 as the external mike, > > > > which I believe is irrelevant.) Recording with the external mike plugged > > > > in works fine too, EXCEPT the signal level from the external mike is > > > > much weaker, and I wonder why. > > > > > > maybe there is a separate preamp on the internal mic pin? > > > > Well, both mikes do respond to setting > > > > inputs.mic.preamp=off/on > > > > so I suppose either each has its own preamp, > > or there is just one mic preamp, pre-amping > > the one mike (int/ext) that is currently in use. > > yes, there is one preamp on the mic pin in the codec. > > but, there could be *external to the codec* preamp circuitry between > the built-in mic and the codec. the codec's datasheet explains how > to do this. > > > does changing inputs.mic.source have any effect? > > > > inputs.mic.source=mic0 is set by default and behaves as described. > > inputs.mic.source=mic1 is accepted and results in silence being recorded. > > then there is probably jack sense circuitry (again, external to the > codec), that switches which mic is connected to the mic pin on the > codec. That explains it to me, thanks. Recording works, I just wanted to understand this difference. Jan
Problem with pf/nat (bug?) and aliases in internal interface
Scenario: int_if with two ip addresses in two differents lans (192.168.20.254, 192.168.21.254). more aliases in the external interfaces nat rules: every 10 internals ip use an external address for the nat. everything works fine, except for the second internal ip address. ip from 192.168.21.0/24 are natted with rules of net 192.168.20.0/24 machines from internal lan use .20.254 or .21.254 as a gateway. p.s. both of them works, but second ones use wrong nat. # uname -mprs OpenBSD 4.4 amd64 Intel(R) Xeon(R) CPU 5110 @ 1.60GHz # pfctl -vsr pass in log quick on bnx1 inet from 192.168.20.0/24 to any flags S/SA keep state [ Evaluations: 61921 Packets: 370618Bytes: 216808002 States: 4230 ] [ Inserted: uid 0 pid 12418 State Creations: 23774 ] pass in log quick on bnx1 inet from 192.168.21.0/24 to any flags S/SA keep state [ Evaluations: 628 Packets: 13136 Bytes: 10432453States: 117 ] [ Inserted: uid 0 pid 12418 State Creations: 202 ] # pfctl -vvsn | grep -A2 -e '@0' -e '@24' -e '@25' @0 nat on bnx0 inet from 192.168.20.1 - 192.168.20.10 to any -> xxx.xxx.xxx.1 [ Evaluations: 34016 Packets: 57999 Bytes: 23576755States: 803 ] [ Inserted: uid 0 pid 12418 State Creations: 5402 ] @24 nat on bnx0 inet from 192.168.20.241 - 192.168.20.254 to any -> xxx.xxx.xxx.25 [ Evaluations: 1079 Packets: 3353 Bytes: 1489982 States: 79] [ Inserted: uid 0 pid 12418 State Creations: 179 ] @25 nat on bnx0 inet from 192.168.21.1 - 192.168.21.10 to any -> xxx.xxx.xxx.26 [ Evaluations: 793 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 12418 State Creations: 0 ] -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/